Blog

DISP Membership 101: What Is DISP and Who Needs It

For many Australian businesses entering the Defence supply chain, DISP appears in tender documents without much explanation, leaving teams uncertain about what it is and whether it applies to them. The Defence Industry Security Program (DISP) is Defence’s framework for checking that Australian businesses can handle Defence work securely. For many tenders and standing offers, DISP membership is now either required or strongly encouraged, especially for defence contractors handling sensitive information or accessing Defence systems.

What is DISP in simple terms?

DISP stands for Defence Industry Security Program. It is a multi‑level membership scheme run by the Australian Department of Defence that helps organisations understand and meet their security obligations when they work on Defence tenders, contracts and projects.

The programme is underpinned by the Defence Security Principles Framework and sets minimum expectations across four domains:

  • Security governance

  • Personnel security

  • Physical security

  • Information and cyber security

Membership gives you access to security guidance, training, current threat information and, at higher levels, the ability to sponsor security clearances and work with classified material. It also gives Defence and other government customers confidence that you have met a consistent baseline, rather than each contract having to re‑invent security requirements.

There is no membership fee for DISP. Defence is clear that there is no direct cost to join. The real DISP compliance cost comes from implementing and maintaining the security controls needed to meet the requirements, particularly in the cyber domain where Essential Eight Maturity Level 2 is now the expectation across all members.

 

 

Who actually needs DISP membership?

DISP membership is open to any Australian entity that wants to be part of the Defence industry supply chain. In many cases it is optional, but there are clear situations where DISP is either mandated or strongly expected:

  • Working on Defence projects that involve sensitive or classified information or assets.

  • Storing or transporting Defence weapons, explosive ordnance or other controlled items.

  • Providing security services for Defence bases and facilities.

  • Delivering ICT, cloud or managed services that process Defence information, especially at Protected level or above.

Defence can also make DISP membership a contractual requirement where it considers the security risk to be high, even if no formal classification is involved. Prime contractors increasingly ask their key sub‑contractors to hold DISP membership as well, so they can demonstrate a secure supply chain to Defence and other partners.

For organisations bidding for Defence work, supporting a prime or planning to enter the sector, the key issue is not whether DISP is relevant, but which DISP level is appropriate for the types of contracts and information they expect to handle.

DISP levels explained

DISP is a multi‑level programme. The membership levels align to the classification of information you can handle and the depth of assurance Defence expects.

  • Entry Level is for entities handling Official and Official: Sensitive information.

  • Level 1 is aligned with Protected information.

  • Level 2 aligns with Secret information.

  • Level 3 aligns with Top Secret information.

You can hold different DISP levels across the four domains. For example, a small software vendor might hold Entry Level for physical security but Level 1 for information and cyber security, depending on the contracts in play.

The higher your DISP membership level, the more rigorous the assessment and ongoing reporting. At all levels, you must meet eligibility criteria such as having an ABN, being financially solvent, appointing a Chief Security Officer and Security Officer, and meeting foreign ownership and control checks. Your ICT networks also need to meet one of several recognised standards such as the ASD Essential Eight at Maturity Level 2 or ISO 27001.

 

 

What DISP expects from your cyber security

For many defence contractors, the most challenging part of DISP Australia requirements is the information and cyber security domain. Until late 2024, the DISP cyber requirement focused on the “Top 4” Essential Eight strategies. That has now been lifted to all eight strategies at Maturity Level 2 for every DISP member, regardless of level.

In practice, that means you need:

  • Structured patching of applications and operating systems.

  • Application control and hardening for Microsoft Office, web browsers and other key tools.

  • Multi‑factor authentication for privileged and remote access, aligned with ASD guidance.

  • Strong controls around backups, admin privileges, macro usage and endpoint configuration.

This aligns closely with other Australian expectations under the Privacy Act and, for regulated sectors, APRA CPS 234, so DISP is pushing you in a direction you probably need to go anyway. Many organisations find it efficient to base their approach on ISO 27001 and then map that to Essential Eight and DISP specific questions, instead of managing three separate frameworks.

Siege Cyber helps organisations design ISO 27001‑aligned security management systems that satisfy DISP, Essential Eight and customer expectations, without creating a second job for your technical team. Our DISP service covers readiness assessments, remediation roadmaps and ongoing support through annual DISP reporting.

If you are not sure where you stand against DISP cyber requirements, a short gap analysis against Essential Eight Maturity Level 2 is a good starting point. Siege Cyber offers this as a standalone service so you can understand the work involved before you commit to a full DISP application.

How DISP fits into your broader business strategy

DISP membership is not just about ticking a box for compliance. Done properly, it becomes part of your broader security and growth strategy.

From a sales perspective, DISP helps you:

  • Qualify for tenders that would otherwise be out of reach.

  • Shorten security due diligence cycles with Defence and other government customers.

  • Demonstrate that you take security seriously, which can also reassure non‑Defence clients.

From a risk perspective, DISP forces you to tighten governance, personnel vetting, physical protections and cyber security in a way that supports other obligations such as the Privacy Act and contractual security clauses. It also gives your executives and board a clearer view of security risks and how they are being managed.

Of course, there is effort involved. That is why many organisations choose to structure DISP uplift alongside other work such as ISO 27001 certification or SOC 2 readiness rather than running separate projects. Siege Cyber can help you design a combined roadmap that reuses policies, risk registers and technical controls across multiple frameworks, so you are not paying for the same work twice.

 

 

How Siege Cyber can help with DISP membership

DISP membership is essentially security vetting for Australian businesses. You want to get it right the first time and avoid drawn‑out reviews, rework and lost opportunities.

Siege Cyber works with Australian defence contractors and aspiring suppliers to:

  • Explain what DISP is in practical terms for your business model.

  • Identify which DISP level(s) make sense based on your current and target contracts.

  • Assess your current practices against DISP and Essential Eight Maturity Level 2.

  • Build a realistic remediation roadmap that fits around day‑to‑day delivery.

  • Prepare the policies, procedures and evidence Defence expects during application and annual reporting.

Our Defence Industry Security Program (DISP) service page on siegecyber.com.au outlines typical engagement options, and our compliance pricing page provides ballpark figures so you can budget with fewer surprises.

If you are considering DISP membership or have already been told that DISP is required in a tender, now is the right time to get clarity. Visit siegecyber.com.au, review our DISP services and pricing, and contact us to arrange a no‑obligation discussion. A short call is usually enough to work out whether DISP is appropriate for your organisation, what level you should target, and how Siege Cyber can help you get there without derailing your existing commitments.