Entry Level vs Level 1 DISP: Which Membership Level Is Right for Your Defence Business?
Choosing the right DISP membership level is not always obvious, even for businesses that already have a clear picture of their defence work and contracts. Most organisations we speak with are working out whether Entry Level DISP is sufficient, or whether Level 1 is the right starting point.
The answer depends on the type of work you are doing with Defence, what information you need to handle, and whether you need to sponsor security clearances for your people. This post breaks it down clearly so you can make an informed decision.
What Is the Defence Industry Security Programme?
The Defence Industry Security Program (DISP) is the Australian Government’s security membership programme for businesses in the defence supply chain. It is administered by the Defence Industry Security Branch which sits within the Defence Security Division of the Department of Defence and is underpinned by the Defence Security Principles Framework (DSPF), specifically Principle 16.
If your business handles Defence information, works on Defence projects, or wants to be competitive in securing Defence contracts, DISP membership is either mandatory or strongly expected. The programme has grown significantly — with over 1,400 members as of mid-2025 and continued strong demand in 2026.
DISP membership covers four security domains, and your obligations within each domain scale with your membership level:
-
Security Governance
-
Personnel Security
-
Physical Security
-
Information and Cyber Security
The Four DISP Membership Levels in Australia
There are four DISP membership levels, each aligned to an Australian Government security classification:
Your membership level determines what classified information your organisation can handle, what security controls you must implement, and what clearances your personnel need. For most small to medium businesses entering the defence supply chain, the decision sits between Entry Level and Level 1.
What Does Entry Level DISP Actually Require?
Entry Level DISP is the starting point for most organisations new to defence work. It covers OFFICIAL and OFFICIAL: Sensitive information — the kind of sensitive but unclassified material that is common across a wide range of defence subcontracting and service delivery roles.
To achieve Entry Level membership, your organisation needs to demonstrate baseline competency across all four security domains. That includes appointing a Chief Security Officer (CSO) and Security Officer (SO), developing a security plan, implementing access controls, and completing what is known as an Entry Level Assessment (ELA), which is a documentation review and interview process conducted by the Defence Industry Security Branch (DISB).
The cyber security requirement is where most organisations hit friction. Since November 2025, all DISP applicants, including Entry Level, must achieve Essential Eight Maturity Level 2 across their corporate IT environment. This is a substantial uplift from the previous requirement, and what used to take three to four months now typically demands six to twelve months of dedicated implementation work.
A critical limitation of Entry Level DISP is that your organisation cannot sponsor security clearances for your personnel. If a contract requires your team members to hold Baseline or higher clearances, Entry Level membership alone will not get you there.
What Changes at Level 1 DISP?
Level 1 DISP is for organisations that need to handle PROTECTED information. This is the first level at which classified material comes into scope, and the requirements across all four security domains increase accordingly.
The most significant practical change from Entry Level to Level 1 is clearance sponsorship. A Level 1 DISP member can sponsor Baseline security clearances through the Australian Government Security Vetting Agency (AGSVA). This matters enormously if your contracts require staff to hold clearances. Without the ability to sponsor them, your people cannot access classified information and you cannot fulfil the contract.
The cyber security baseline remains the same (Essential Eight ML2), but Level 1 brings additional obligations around physical security. Your facilities may need to meet Protected-level standards and your governance and personnel security policies must be more comprehensive. Your Security Governance domain must always equal the highest of your other domains, so moving to Level 1 in any area raises the bar across the board.
Level 1 also opens greater access to international contracts and, in some cases, allows your organisation’s security practices to be recognised by Australia’s international partners.
Which DISP Level Do You Actually Need?
Here is a practical way to think through it.
Entry Level is likely the right starting point if:
-
Your contracts involve OFFICIAL or OFFICIAL: Sensitive information only
-
You are a subcontractor to a Prime and the contract specifies Entry Level as the requirement
-
None of your personnel are required to hold security clearances
-
You are new to defence work and want to establish a security baseline before pursuing higher-level contracts
Level 1 is the right level if:
-
Your contracts involve PROTECTED information
-
You need to sponsor Baseline security clearances for any of your personnel
-
You are bidding on government panels or programmes that require Protected-level access
-
You are positioning your business for growth in defence where higher classification work is the goal
One important nuance: your DISP level does not have to be uniform across all four security domains. Your organisation might hold Level 1 for Security Governance and Personnel Security, but only Entry Level for Physical Security and ICT. The exception is Governance, which must always match your highest domain. This flexibility can be useful, but it also adds complexity to your compliance planning.
Not sure which level applies to your situation? Siege Cyber offers DISP gap analyses as a standalone service. We assess where your organisation currently sits against the requirements for your target membership level and give you a clear, practical plan to close the gaps. Visit siegecyber.com.au/services/defence-industry-security-program-disp/ or see our compliance pricing to understand how we structure our DISP engagements.
The Essential Eight Is Now Non-Negotiable for All Levels
This is worth calling out directly, because it catches a lot of businesses off guard.
As of November 2025, the old “Top 4” cyber requirement has been retired across the board. Every DISP applicant, Entry Level included, must now implement all eight strategies of the ASD Essential Eight at Maturity Level 2. This means application control, patching of applications and operating systems, restricting access, user application hardening, restricting administrative privileges, multi-factor authentication, and regular backups all implemented at a defined, evidence-based maturity level.
This is not a light-touch exercise. If your IT environment is not already heading toward Essential Eight ML2, that is the first thing to address before lodging any DISP application.
How Siege Cyber Helps Businesses Achieve DISP Membership
Siege Cyber works with Australian businesses at every stage of the DISP membership journey — from organisations exploring DISP for the first time to existing members working through their Annual Security Report or upgrading from Entry Level to Level 1.
Our team helps you determine the right membership level for your specific contracts, conduct a gap assessment across all four security domains, implement the required controls including Essential Eight ML2, develop your security plan documentation, and prepare for the Entry Level Assessment or higher-level assessment process.
We are based in Brisbane and work with defence businesses across Australia. To find out where your organisation stands and what it will take to achieve your target DISP membership level, visit siegecyber.com.au/services/defence-industry-security-program-disp/, view our compliance pricing, or get in touch directly at [email protected].