Blog

How to Get DISP Membership Step‑by‑Step

If your business wants to support the Australian Defence Force, DISP membership is fast becoming a practical necessity rather than a nice to have. The good news is that the DISP membership process is very achievable if you tackle it step by step with a clear DISP compliance checklist.

This guide walks through how to get DISP membership, who is eligible for DISP, and what to expect from the application and assurance process. It is written for Australian businesses that might already be investing in security controls like ISO 27001 Annex A controls, ASD Essential Eight, or NIST 800‑171, but still need a clear roadmap for DISP.

What is DISP membership and why does it matter?

The Defence Industry Security Program (DISP) is run by the Australian Department of Defence to give Defence confidence that suppliers can handle their people, information and assets securely. It covers four domains: governance, personnel security, physical security, and information & cyber security, with four DISP membership levels from Entry Level through to Level 3.

DISP membership is open to any Australian entity that wants to be part of the Defence supply chain, and in some contracts it is mandated as a condition of doing the work. There is no membership fee, but you must invest in implementing and maintaining the security measures that match the DISP level you are applying for.

Are you eligible for DISP?

Before worrying about the application form, it helps to check basic eligibility for DISP. Defence sets out clear eligibility and suitability requirements, including:

  • You are a registered Australian entity with an ABN and correct ASIC details.

  • You are financially solvent and able to sustain delivery.

  • You can meet foreign ownership, control and influence (FOCI) requirements.

  • You can nominate a Chief Security Officer (CSO) and Security Officer (SO) with suitable authority and experience.

  • You can provide a DISP@your‑entity‑name email address hosted in Australia.

  • Your ICT networks are aligned with recognised cyber standards such as ASD Essential Eight, ISO/IEC 27001, NIST SP 800‑171 or equivalent.

If you are not sure whether your current controls are enough to support DISP membership, a structured gap assessment against the DISP membership requirements checklist is usually the most efficient starting point. Siege Cyber offers DISP readiness assessments, mapping what you already have (policies, Annex A‑style controls, Essential Eight maturity, penetration testing results) against the eligibility and suitability criteria Defence expects to see.

 

 

Step 1: Choose the right DISP membership level

DISP is multi‑level, and the level you choose should reflect the sensitivity of the work you are doing or want to do for Defence. In simple terms:

  • Entry Level – typically used where you handle OFFICIAL or OFFICIAL: Sensitive information and have no need for personnel clearances.

  • Level 1 (PROTECTED) – suits entities handling PROTECTED information and needing Baseline security clearances.

  • Level 2 (SECRET) – for work involving SECRET information and NV1 cleared personnel.

  • Level 3 (TOP SECRET) – for TOP SECRET environments and NV2 clearances.

Most small to mid‑sized technology and consulting firms start with Entry Level DISP or Level 1. Defence’s own guidance encourages you to be realistic about your capacity to maintain the controls associated with the level you choose, not just what might look impressive in a tender.

Step 2: Work through a DISP compliance checklist

Before applying on the DISP Member Portal, Defence strongly recommends that you work through the official DISP membership requirements checklist. A good DISP compliance checklist will typically cover:

  • Security governance: policies, roles, risk management, incident response and reporting.

  • Personnel security: vetting, induction, ongoing suitability, and handling of insider risk.

  • Physical security: secure premises, access control, visitor management, asset protection.

  • Information & cyber security: network hardening, patching, backups, monitoring, and alignment with standards such as Essential Eight or ISO 27001 Annex A controls.

At this stage, many organisations discover they already have useful building blocks. For example, if you are working towards ISO 27001, your controls register and risk treatment plan will often map well to DISP information and cyber security requirements.

If you want a structured DISP membership process without guesswork, Siege Cyber’s DISP service is designed around a clear readiness checklist and evidence list tailored to Australian SMEs.

Step 3: Prepare your DISP security documentation

Defence expects to see evidence, not just intentions. For most applicants, this means assembling a practical but complete security documentation set, which usually includes:

  • A security plan that aligns with DISP and the Defence Security Principles Framework (DSPF) Principle 16.

  • Governance policies for information security, risk management, access control, incident response, and supplier management.

  • Personnel security procedures, including how you vet, onboard, brief and offboard staff and contractors.

  • Physical security procedures for your premises and any sites where Defence information or assets will be handled.

  • Cyber security documentation, including how you meet Essential Eight maturity expectations, system hardening, logging, and vulnerability management.

Many of the same documents will support other frameworks such as ISO 27001, SOC 2 or APRA CPS 234, which is why a lot of defence‑adjacent organisations look at DISP as part of a broader security uplift.

If your team is already moving towards ISO 27001, the work you are doing on risk assessment, control selection and an Annex A‑aligned control framework will directly support your information and cyber security story for DISP.

 

 

Step 4: Register on the DISP Member Portal and complete the application

Once you are confident you can meet the requirements for your chosen level, you submit your DISP membership application via the DISP Member Portal. Defence’s latest updates show that the portal now supports end‑to‑end application and membership self‑management, including a structured application with nine main sections:

  1. Entity details

  2. Officer details (including CSO and SO)

  3. Contracts and panels

  4. Physical and ICT information

  5. Membership levels

  6. Foreign ownership, control and influence (FOCI)

  7. Cyber questionnaire

  8. Attachments (your evidence pack)

  9. Preview and submit

You will need an Australian Government Digital Identity and to set up authorisations in the Relationship Authorisation Manager so that your CSO and SO can complete their parts of the application. Draft applications that sit untouched for more than 60 business days are automatically removed, so it is worth lining up your evidence before you start.

If you are unsure how much detail to include, or how to answer items in the cyber questionnaire in a way that accurately reflects your Essential Eight or ISO 27001 alignment, an external DISP consultant can save a lot of back‑and‑forth. Siege Cyber regularly helps clients shape their responses so they are both honest and complete.

Step 5: Defence assessment, clarification and potential audit

Once your DISP application is lodged, Defence will review the material and may:

  • Ask for clarification or extra supporting documents.

  • Schedule interviews with your CSO, SO or key technical leads.

  • For higher levels, conduct a site visit or more formal assurance activity.

Public guidance suggests that standard applications can take several months from allocation to decision, with priority applications (endorsed as urgent by Defence) taking around 90 days once a processing officer is assigned. The more complete and consistent your documentation is, the smoother this tends to be.

From there, successful applicants receive confirmation of DISP membership and must then move into the ongoing assurance phase, which includes annual security reports and continuing obligations.

If you are feeling stuck at this point, a targeted review of your draft application and evidence set can make a big difference. Siege Cyber offers this as a fixed‑price engagement, with transparent options on our compliance pricing page.

Step 6: Ongoing DISP compliance and annual reporting

DISP is not a one‑off exercise. As a DISP member, you must:

  • Maintain the controls you said you had, particularly in governance, personnel, physical and cyber domains.

  • Complete an Annual Security Report (ASR) within 10 working days of your DISP membership anniversary date.

  • Keep your CSO and SO details, contact points and key security documents up to date in the DISP Member Portal.

  • Respond to any Defenceinitiated assurance activities or targeted reviews.

In practice, this often means treating DISP as part of a broader security management system. Many defence suppliers align their DISP controls with ISO 27001 Annex A controls or the ASD Essential Eight, then use regular penetration testing, internal audits and management reviews to monitor effectiveness.

Siege Cyber can help you build that integrated approach so that DISP membership, ISO 27001, Essential Eight and other obligations support each other rather than competing for time and budget.

 

 

How Siege Cyber helps with DISP membership

Siege Cyber works with Australian defence suppliers and adjacent businesses on DISP readiness, application support and ongoing compliance. This usually includes:

  • A DISP readiness assessment against the official membership requirements checklist.

  • Development or uplift of core security policies and procedures across governance, personnel, physical and cyber domains.

  • Alignment of your cyber controls with Essential Eight and, where useful, ISO 27001 Annex A controls.

  • Support with preparing your DISP security plan, CSO / SO evidence and attachments for the portal.

  • Advice on how to manage DISP membership alongside ISO 27001 certification, SOC 2 readiness or broader regulatory requirements like the Privacy Act and APRA CPS 234.

If you’d like a clear, practical path to DISP membership, visit siegecyber.com.au or our dedicated DISP service page and request a short consultation. From there, we can map out the DISP membership process for your business, estimate effort and cost, and agree whether Entry Level or a higher membership level makes sense for your business.