Blog

DISP Levels and Requirements Explained

If you are a Defence supplier trying to make sense of DISP levels and requirements, you are not alone. The Defence Industry Security Program is now the main way Defence checks that Australian entities can handle sensitive information and work on Defence projects securely. It is a multi‑level membership scheme, and choosing the right DISP membership level affects the tenders you can bid for, the clearances you can sponsor and how much uplift work you need to do.

What the Defence Industry Security Program is trying to achieve

DISP supports Australian organisations to understand and meet their security obligations when they engage in Defence tenders, contracts and projects. It sits under the Defence Security Principles Framework and covers four domains: security governance, personnel security, physical security and information and cyber security.

Membership is open to any Australian entity that meets the basic eligibility criteria such as holding an ABN, being financially solvent and passing foreign ownership and influence checks. In return, Defence provides access to security guidance, training, and in higher levels the ability to sponsor clearances and work with classified material. DISP does not guarantee contracts, but it is rapidly becoming a prerequisite for serious Defence work.

From a security perspective, DISP requirements in the information and cyber domain now align to the full ASD Essential Eight at Maturity Level 2, or equivalent standards such as ISO 27001 or NIST SP 800‑171. That means DISP is not just paperwork. It expects a concrete uplift in how you manage cyber risk across your organisation.

 

 

DISP membership levels in Australia

There are four DISP membership levels, each tied to the Government security classification of information you are allowed to handle.

  • Entry Level is for entities dealing with Official and Official: Sensitive information

  • Level 1 corresponds to Protected information

  • Level 2 corresponds to Secret information

  • Level 3 corresponds to Top Secret information

You can hold different DISP levels across the four domains. For example, you might hold Entry Level for physical security but Level 1 for governance and personnel, depending on the nature of your work. In practice, many small suppliers aim for Entry Level or Level 1 initially and step up later if their contracts demand it.

Understanding which DISP levels and requirements align with your pipeline is the first decision you need to make. There is no point aiming for Level 3 cyber security if your work will only ever involve unclassified or Protected information.

Entry Level DISP: requirements and who it suits

Entry Level is designed for organisations that are new to Defence work or only handle Official and Official: Sensitive information. It still expects a structured approach to security governance, basic personnel vetting, physical protections for offices and devices, and a cyber security baseline aligned with the Essential Eight at Maturity Level 2.

You do not get the ability to sponsor security clearances at Entry Level, and your access to classified systems and facilities will be limited. For many SMEs, this is enough to participate in lower risk projects, provide software or services that integrate with Defence, or work under a prime contractor.

If you are unsure how far away you are from Entry Level requirements, a short readiness review against the four DISP domains and Essential Eight Maturity Level 2 can quickly highlight any gaps. Siege Cyber offers this as a standalone assessment, with clear, prioritised recommendations rather than a generic checklist.

DISP Levels 1 to 3: increasing requirements and expectations

As you move up the DISP membership levels, the expectations around governance, clearances and technical controls increase.

Level 1, aligned with Protected information, requires stronger personnel security (such as baseline clearances for certain roles), more formalised governance and risk processes, and tighter physical security for facilities that handle Defence information. Your cyber security posture must still meet Essential Eight Maturity Level 2, but auditors will look more closely at how consistently those controls are operating and how they are integrated into change management and incident response.

Level 2, for Secret information, adds deeper personnel vetting (typically NV1 clearances), enhanced physical protections and closer scrutiny of how you segregate networks and environments. Governance expectations also increase, with clearer board‑level oversight and internal audit activity.

Level 3, for Top Secret information and high‑risk projects, is typically held by prime contractors and large research organisations. It adds higher level clearances (NV2), very strong physical and technical controls, and a mature security management system that can withstand detailed Defence review.

Across Levels 1 to 3, the information and cyber security domain increasingly assumes an ISO 27001‑style management system, where risks, assets, suppliers and incidents are tracked systematically, and internal audits are performed regularly. Many DISP‑ready organisations use ISO 27001 as the backbone and then map it to Essential Eight and DISP specific requirements.

 

 

How ISO 27001 and Essential Eight fit into DISP requirements

Defence explicitly recognises ISO 27001, ASD Essential Eight and certain overseas standards as ways to demonstrate that your ICT networks meet DISP cyber requirements. In practice, most organisations pursuing DISP levels and requirements beyond Entry Level find that implementing ISO 27001 once, then aligning it with Essential Eight, is more efficient than trying to manage dozens of controls in isolation.

ISO 27001 gives you a structured information security management system, which also supports obligations under the Privacy Act and, for some sectors, APRA CPS 234. Essential Eight Maturity Level 2 then drives the baseline technical control set for endpoints, servers and cloud workloads.

Siege Cyber helps organisations design and implement ISO 27001 environments that can be mapped cleanly to DISP and Essential Eight expectations. Our ISO 27001 service page outlines typical engagement models and how we integrate policy work, technical uplift and internal audit cycles so you are not duplicating effort.

If you are not sure whether ISO 27001 is worth pursuing alongside DISP, a short strategy workshop can help clarify the benefits and trade‑offs based on your sector and growth plans. Siege Cyber provides fixed‑price workshops and roadmaps to help boards and executives make that call with confidence.

Choosing a realistic DISP pathway

DISP requirements in Australia have matured quickly, particularly in the cyber domain where the minimum expectation is now the full Essential Eight at Maturity Level 2 rather than the older “Top 4”. For many suppliers, the challenge is not understanding the rules, but sequencing the work so that DISP uplift does not disrupt day‑to‑day delivery.

A practical DISP pathway usually involves:

  • Clarifying the contracts and information classifications you are targeting.

  • Selecting the appropriate DISP membership level per domain rather than defaulting to the highest.

  • Performing a structured gap assessment against governance, personnel, physical and cyber requirements.

  • Building a staged uplift plan that integrates with other compliance work such as ISO 27001 or SOC 2.

Siege Cyber can support this end‑to‑end or focus on specific pieces such as Essential Eight uplift, ISO 27001 implementation or preparing evidence for your DISP application.

If you are planning a DISP project and want clarity on effort and cost up front, our compliance pricing page on siegecyber.com.au provides ballpark figures for typical ISO 27001 and security uplift engagements. We can then refine those figures once we understand your environment and target DISP level.

 

 

Ready to talk about DISP levels for your organisation?

DISP membership is fast becoming a baseline expectation for serious Defence suppliers in Australia. Understanding DISP levels and requirements is the first step. The next is deciding what level you actually need and how to get there without over‑engineering your security.

If you would like an experienced partner to help you unpack DISP, align it with ISO 27001 and Essential Eight, and build a realistic uplift roadmap, Siege Cyber can help. Visit siegecyber.com.au, review our DISP services and compliance pricing, and get in touch to arrange a no‑obligation discussion. A short conversation is usually enough to clarify which DISP membership levels make sense for your organisation and what it would take to meet them.