Free Readiness Assessment
Assess your organisation's readiness for DISP membership, ISM compliance and IRAP assessment. Answer 25 questions across governance, personnel, cyber controls and evidence management — get an instant score and a branded PDF roadmap.
25 questions across 6 domains covering DISP, ISM and IRAP readiness, plus a context block.
Questions calibrated to the controls and evidence an IRAP assessor or DISP auditor will look for.
Score breakdown, priority gaps and a recommended action plan — ready for the executive or Defence contract team.
A few details to tailor your defence security roadmap. Required fields are marked *.
DISP categories, Security Officer, and PSPF alignment.
DISP expectations vary significantly by category and level — being explicit avoids scope surprises later.
Defence expects clear, named accountability for protective security matters.
PSPF alignment underpins DISP membership and is a signal of organisational security maturity to Defence.
Clearances, onboarding/offboarding, training and facilities.
Personnel security must match the sensitivity of the information staff access — DISP auditors check this.
Personnel changes are a key risk area for Defence engagements — leavers with residual access are a common finding.
Training must be relevant to Defence obligations — generic cyber awareness alone is insufficient.
Physical security controls must match the sensitivity of work performed at each location.
Classification, ISM baseline, hardening, logging and incidents.
Classification drives ISM control selection and IRAP assessment scope — confirming it early avoids costly rework.
ISM compliance is risk-based — but deviations must be explicit and approved, not just assumed.
Defence expects consistent, measurable cyber hygiene — inconsistent application is a common IRAP finding.
Centralised logging supports both detection during operations and evidence during IRAP assessment.
Proactive vulnerability management is expected by IRAP assessors and demonstrates ongoing risk reduction.
Defence has specific notification obligations — generic IR plans often miss these.
System description, SSP, SRMP and ATO pathway.
IRAP assessors rely heavily on accurate, up-to-date system documentation — gaps here slow assessments significantly.
The SSP is the core artefact for both ISM compliance and IRAP assessment — it must be current.
Risk decisions must be explicit and documented — verbal risk acceptance is not sufficient for Defence.
Resilience requirements increase with classification — untested backups are a common finding.
Clear ATO pathways reduce IRAP friction and avoid late-stage delays.
Scope, previous findings, evidence workspace and POA&M.
Clear scoping prevents assessment delays, rework and cost overruns.
Outstanding findings from prior IRAPs must be addressed — assessors will review the previous report.
Well-organised evidence significantly accelerates IRAP assessments and reduces assessor time.
Defence expects transparent, accountable remediation tracking — informal lists are not sufficient.
Sovereign hosting, security clauses and supplier assurance.
Data sovereignty is a critical Defence consideration — offshore hosting of PROTECTED data is generally not acceptable.
Defence security obligations must flow down through the supply chain — gaps in contracts are a liability.
Third-party suppliers can introduce significant Defence risk — understanding shared responsibility is essential.
Available once all questions are answered
Your PDF has downloaded automatically. A copy of your responses has been sent to our team — we'll follow up if you'd like to discuss the results.
We use analytics cookies (Google Analytics & Clarity) to understand site usage — no advertising or personalisation. Cookie policy
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
