DISP / ISM / IRAP Free Readiness Checklist

Governance & DISP

DISP categories, key roles, and alignment to PSPF / Defence expectations.

0/0 answered

Have you confirmed which DISP membership categories and levels you are targeting (governance, information/cyber, personnel, physical)?

DISP expectations vary significantly by category and level. Be explicit about what you are committing to.

Show examples

Documented decision on DISP membership categories and target levels.
Rationale aligned to Defence work types and data classifications.
Executive approval of DISP scope and roadmap.

Do you have a nominated Security Officer or similar role that reports Defence-related risks and issues to the executive/board?

Defence expects clear accountability for protective security matters.

Show examples

Formal appointment of a Security Officer (or equivalent).
Role description covering DISP, PSPF, ISM and IRAP responsibilities.
Evidence of escalation and reporting to executive or board.

Have you reviewed your policies and procedures against the Protective Security Policy Framework (PSPF) and recorded any gaps and actions?

PSPF alignment underpins DISP membership and Defence confidence.

Show examples

PSPF gap assessment or mapping document.
Action register addressing identified gaps.
Periodic review of PSPF alignment as requirements change.

People & Physical Security

Vetting, clearances, training, and facility security controls.

0/0 answered

Are staff who handle sensitive or Defence-related information appropriately screened and, where required, security cleared for their roles?

Personnel security must match the sensitivity of information accessed.

Show examples

Baseline screening for all staff and contractors.
Active security clearances where required.
Clearance records and revalidation tracking.

Do you have a clear process to onboard, move and offboard staff and contractors, including access changes and clearance management?

Personnel changes are a key risk area for Defence engagements.

Show examples

Documented joiner/mover/leaver process.
Timely access removal and clearance updates.
Evidence of offboarding checks and attestations.

Do staff receive regular security awareness training that covers Defence, DISP and handling of classified/official information?

Training must be relevant to Defence obligations, not generic.

Show examples

Annual security awareness training with Defence-specific content.
Targeted training for staff handling sensitive information.
Training completion records.

Have your offices and facilities been assessed for physical security (zones, visitor controls, alarms, secure storage) in line with DISP expectations?

Physical security controls must align to the sensitivity of work performed.

Show examples

Physical security assessment aligned to DISP/PSPF.
Defined security zones and visitor controls.
Secure storage for sensitive material.

Cyber & ISM Controls

Hardening, patching, monitoring, vulnerability management and incident response.

0/0 answered

Have you confirmed the expected classification/handling level of Defence or government information your system will store or process?

Classification drives ISM control selection and assessment scope.

Show examples

Confirmed classification (e.g. OFFICIAL, OFFICIAL: Sensitive, PROTECTED).
Handling rules documented and communicated.
Alignment with Defence contract requirements.

Have you selected an ISM control baseline that fits your system’s classification and business context, and documented any justified deviations?

ISM compliance is risk-based but deviations must be justified.

Show examples

Selected ISM baseline documented.
Register of deviations with risk acceptance.
Approval by appropriate authority.

Do you have standards for hardening, patching, malware protection and configuration baselines, and are they applied consistently?

Defence expects consistent, measurable cyber hygiene.

Show examples

System hardening standards aligned to ISM.
Patch and malware protection policies.
Compliance evidence from tooling or audits.

Are security logs centrally collected, monitored and retained in line with ISM and your incident response expectations?

Logging supports detection, investigation and IRAP assessment.

Show examples

Central log collection (e.g. SIEM).
Defined log retention aligned to ISM.
Evidence of monitoring and alert response.

Do you run regular vulnerability scanning and (where appropriate) penetration testing, with a process to prioritise and fix high-risk issues?

Vulnerability management demonstrates proactive risk reduction.

Show examples

Scheduled vulnerability scans.
Penetration test reports where required.
Remediation tracking and closure evidence.

Do you have an incident response process that covers Defence/government notifications, evidence retention and lessons learned?

Incident handling must meet Defence notification expectations.

Show examples

Incident response plan referencing Defence notification pathways.
Evidence retention procedures.
Post-incident reviews and improvements.

Risk Management & System Docs

System description, SSP/SRMP and keeping security documentation current.

0/0 answered

Is there a clear, current description of the system and diagrams showing key components, data flows and dependencies?

IRAP assessors rely heavily on accurate system documentation.

Show examples

System description document.
Architecture and data flow diagrams.
Dependencies and shared responsibility boundaries.

Do you maintain a System Security Plan (SSP) explaining how key controls are implemented and who is responsible?

The SSP is a core artefact for ISM and IRAP.

Show examples

Current SSP aligned to ISM controls.
Clear ownership for each control.
Shared responsibility statements for cloud services.

Do you have a Security Risk Management Plan (SRMP) identifying threats, risks and agreed treatments?

Risk decisions must be explicit and documented.

Show examples

SRMP covering system threats and risks.
Risk treatments and acceptance decisions.
Regular SRMP reviews.

Are backup, business continuity and disaster recovery arrangements tested regularly and appropriate for the system classification?

Resilience expectations increase with classification.

Show examples

Defined RTO/RPO aligned to classification.
Backup and DR test results.
Actioned improvement findings.

Have you identified who will authorise the system to operate (ATO) and how they will be kept informed?

Clear authorisation pathways reduce IRAP friction.

Show examples

Identified Authorising Authority.
ATO briefing materials and cadence.
Ongoing risk and change reporting.

IRAP Planning & Evidence

IRAP scope, assessment approach, evidence packs and POA&M tracking.

0/0 answered

Have you agreed a proposed IRAP scope and assessment type?

Clear scoping prevents assessment delays and rework.

Show examples

Defined systems, environments and locations.
Agreed assessment type (gap, full, reassessment).
Indicative time period.

If you have had a previous IRAP, do you know the status of recommendations and open findings?

Outstanding findings must be understood and tracked.

Show examples

Previous IRAP report.
Status of recommendations.
Evidence of remediation progress.

Is there a central evidence workspace for sharing material with an IRAP assessor?

Well-organised evidence accelerates IRAP assessments.

Show examples

Central SharePoint or Confluence evidence register.
Clear folder structure mapped to ISM controls.
Access controls for assessors.

Do you maintain a POA&M or similar register to track findings to closure?

Defence expects transparent remediation tracking.

Show examples

POA&M with owners and due dates.
Regular status updates.
Closure evidence.

Contracts, Suppliers & Hosting

Security clauses, suppliers, and hosting / sovereignty expectations.

0/0 answered

Is it clear where systems and data are hosted and does this meet Defence sovereign hosting expectations?

Hosting location and sovereignty are critical Defence considerations.

Show examples

Documented hosting locations and regions.
Assessment against Defence sovereign requirements.
Risk acceptance where constraints exist.

Do contracts include appropriate security, confidentiality, incident notification and DISP obligations?

Contracts must flow down Defence security obligations.

Show examples

Security and confidentiality clauses.
Incident notification timeframes.
DISP and Defence-specific obligations.

Have you identified key suppliers and how their ISM/IRAP responsibilities will be managed?

Third parties can introduce significant Defence risk.

Show examples

Supplier inventory and criticality assessment.
Defined shared responsibilities.
Supplier assurance evidence.

DISP / ISM / IRAP readiness checklist (free)

What this covers

How scoring works

Free PDF output

Governance & DISP

People & Physical Security

Cyber & ISM Controls

Risk Management & System Docs

IRAP Planning & Evidence

Contracts, Suppliers & Hosting

Before you download