Does our business need to join DISP?

If you are, or want to become, a supplier to the Australian Department of Defence and you handle defence information or assets, DISP membership is likely required. The obligation is triggered by the nature of the work and the classification of information involved, not just the size of the contract. If you're uncertain whether DISP applies to you, we can help you assess that as a first step.

What security controls does DISP require?

DISP is comprised of four security categories: Governance, Personnel Security, Physical Security and ICT/Cyber Security. Within these security categories, four levels of membership are available, depending on your business requirements. These are Entry Level, Level 1, Level 2 and Level 3. The controls required depend on your membership level. At a minimum, DISP requires a security management framework, personnel security procedures, physical security controls, and an ICT security program aligned to the ISM (Information Security Manual). Higher levels of membership require increasingly rigorous controls. We can assess the membership level you wish to target, and design a program around those specific requirements.

How long does DISP membership take to achieve?

As a guide, the preparation and uplift required to apply for DISP membership generally takes approx. 12 weeks, based on our teams receiving the required information and input from your business within a timely fashion. Assessment of applications is then dependent upon Defence's processing timeframes. We recommend allowing six to twelve months or even longer, depending on your starting point. We can give you a realistic estimate based on your target membership level and current security posture.

Information Security · DISP Alignment · Defence Industry Security Program

DISP technical implementation. Done properly.

The Defence Industry Security Program (DISP) sets out security requirements for Australian businesses working with Defence. We specialise in the technical security control implementation: the ICT infrastructure, Essential Eight uplift, and system hardening that DISP membership requires. We deliver this in partnership with De Stefano & Co, a defence-focused management and security consultancy, who lead the advisory, security management framework, and submission components of the engagement.

Book a Discovery Call What's included

Defence supply chain security

DISP membership is achievable.
We'll show you the path.

South Australia has a significant and growing defence industry. From BAE and ASC to the many small and medium businesses in the supply chain, DISP membership is increasingly a commercial requirement as well as a regulatory one. We work with De Stefano & Co - an award-winning consultancy with deep DISP expertise - to deliver both the technical and advisory dimensions of DISP compliance.

Back to Information Security →

DISP Alignment

What we cover, and what our partner covers.

DISP is a tiered program. The technical controls, including ICT infrastructure, system hardening, and Essential Eight alignment, are our scope. The advisory, security management framework, and compliance are handled by our partner, De Stefano & Co. Together we cover the entire program.

InterIntra: technical control implementation

Essential Eight: Uplift to the maturity level required by your DISP tier
Endpoint hardening: Patching, application control and credential protection
Network security: Segmentation, access management and security logging
Security training: Staff awareness for defence supply chain requirements
Incident detection: Technical detection and response procedures
Ongoing monitoring: Continuous evidence collection for compliance maintenance

In partnership with De Stefano & Co

The governance, personnel security, physical security, and the submission side of DISP engagements are handled by our partner De Stefano & Co, national leaders in DISP membership attainment and compliance services. We focus on what we're best at; they focus on what they're best at.

DISP sits naturally alongside Essential Eight compliance, and many of the technical controls overlap. Our vCISO service can maintain the ICT security program under a single ongoing engagement.

Our DISP engagement

How a joint engagement actually works.

De Stefano & Co lead the advisory, compliance and submission elements of the engagement. We lead the technical control implementation. In practice, we work in parallel - one team doesn't wait for the other.

Stage 01

Technical gap assessment

In collaboration with De Stefano & Co, and as part of a broader gap analysis, we assess your ICT environment against the technical controls required for your target DISP level - Essential Eight maturity, network architecture, endpoint configuration. You then receive a report and implementation plan before any work begins.

Stage 02

Technical control uplift

We implement the required ICT security controls - Essential Eight hardening, network segmentation, access management, logging and monitoring, patch management. This is done alongside the De Stefano & Co team, who implement the framework, policy and compliance requirements.

Stage 03

Ongoing maintenance

After membership is achieved, the technical controls need to be maintained. We provide ongoing monitoring, evidence collection, and ICT security management to keep your environment compliant — so your membership stays current, not just initially attained.

From the Blog

Ready to start the technical side of your DISP program?

Talk to us about the ICT controls side of DISP. We'll assess where your environment sits, scope the technical uplift required, and coordinate with De Stefano & Co on the broader program.

Book a Discovery Call