What We Deliver: Defence Industry Security Program Consulting Services
Siege Cyber provides end-to-end DISP compliance consulting for Australian defence contractors and subcontractors. We assess your readiness across all four security domains, implement Essential Eight Maturity Level 2, prepare your DISP membership application, and provide ongoing support to maintain compliance once membership is granted. You get DISP approval and sustainable security controls that satisfy Defence Security Authority requirements.
Here is what you get:
- DISP readiness assessment across all four security domains – We assess your current capability against DISP requirements for Security Governance (security policies, risk management, incident response), Personnel Security (security clearances, vetting procedures, ongoing suitability), Physical Security (access control, secure storage, visitor management), and ICT/Cyber Security (Essential Eight ML2, network security, data protection). We identify gaps in each domain, determine which classification level is realistic for your organisation, estimate timeline to DISP-ready status, and provide a prioritised remediation roadmap. You understand exactly what is required before starting the formal application.
- Essential Eight Maturity Level 2 implementation – DISP's 2026 ICT/Cyber Security requirements mandate Essential Eight ML2 across all corporate IT systems used to correspond with Defence. We implement all eight mitigation strategies at Maturity Level 2 including application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. This is not the previous "Top 4" approach. This is full Essential Eight ML2 with documented evidence and technical validation. Without this, your DISP application cannot proceed.
- Security governance framework and documentation – DISP requires documented security governance appropriate to the classification level you are seeking. We establish board or executive-level security governance, security risk management framework, documented security policies and procedures, incident management and reporting processes, third-party and supply chain security requirements, and annual security reporting capability. The Defence Security Authority expects to see genuine governance oversight, not policies copied from templates with no evidence of implementation.
- Personnel and physical security programme development – Beyond ICT security, DISP requires personnel security vetting and physical security controls. We establish personnel security vetting processes aligned with Australian Government Protective Security Policy Framework (PSPF), security clearance management procedures, ongoing suitability monitoring, secure area access control systems, classified information storage and handling procedures, and visitor management protocols. These domains are often overlooked by technology companies but are mandatory for DISP membership.
- DISP membership application preparation and submission – Once your security controls meet requirements, we prepare your formal DISP membership application including completion of all required documentation, compilation of evidence for each security domain, preparation for Defence Security Authority assessment, coordination with DSA processing officers, and response to any queries or requests for additional information. A well-prepared application moves through the 90-day processing timeline smoothly. A poorly prepared application stalls indefinitely.
- Annual security reporting and ongoing compliance – DISP membership requires annual security reports demonstrating continued compliance. We establish processes for ongoing monitoring of Essential Eight controls, annual security reporting to Defence, management of security incidents affecting defence work, periodic reassessment of security domains, and maintenance of DISP membership. Achieving DISP membership is significant effort. Maintaining it requires ongoing commitment, and we provide the framework to sustain compliance year after year.
Our DISP Compliance Process
We have guided Australian defence contractors through DISP membership application and compliance. Here is how it works.
1. DISP Readiness Assessment and Classification Scoping
We meet with your leadership team to understand your defence industry engagement (prime contractor, subcontractor, or aspiring bidder), target classification level for DISP membership (PROTECTED, SECRET, TOP SECRET), current security posture across the four domains, and timeline requirements (existing contract obligations, upcoming tender deadlines). We conduct a DISP readiness assessment to determine gaps, realistic timeline to application-ready status, and estimated effort required. This establishes whether DISP membership is achievable within your required timeline.
2. Essential Eight ML2 Gap Analysis and Implementation Planning
We assess your current Essential Eight maturity level and plan implementation to reach Maturity Level 2 across all corporate IT systems. This includes detailed gap analysis for all eight strategies, prioritised remediation roadmap, technical implementation plan, evidence collection framework, and timeline to Essential Eight ML2 compliance. Without Essential Eight ML2, your DISP application will not be approved, so ICT/Cyber Security domain readiness is critical path.
3. Security Governance and Documentation Development
We establish or enhance your security governance framework to meet DISP requirements including board or executive security oversight, security risk management processes, comprehensive security policies and procedures, incident management framework, third-party security requirements, and annual security reporting processes. The Defence Security Authority assesses whether your governance is genuine and sustainable, not superficial documentation created solely for compliance.
4. Personnel and Physical Security Implementation
While Essential Eight implementation progresses, we establish personnel and physical security programmes including personnel security vetting procedures, security clearance management, secure area access control, classified information handling procedures, visitor management protocols, and ongoing suitability monitoring. These domains require coordination with HR, facilities, and management, and implementation timelines vary based on your starting point.
5. Evidence Collection and Validation
We compile comprehensive evidence demonstrating compliance across all four security domains including Essential Eight ML2 technical validation, security governance documentation, personnel security records, physical security assessments, incident management logs, and third-party security agreements. The Defence Security Authority requires documented proof of compliance, not claims. We ensure evidence is complete, accurate, and audit-ready before application submission.
6. DISP Membership Application and DSA Liaison
We prepare and submit your formal DISP membership application, coordinate with Defence Security Authority processing officers, respond to queries or requests for additional information, facilitate any required site assessments, and track application progress through the 90-day processing timeline. Once membership is granted, we establish ongoing compliance monitoring to maintain your DISP membership and prepare annual security reports.
Who This Is For: DISP Membership Application Consulting
This service is designed for Australian businesses that work or intend to work with the Australian Defence Force, defence primes, or on defence-related projects requiring DISP membership.
You are a good fit if:
- You are bidding on Australian Defence contracts that explicitly require DISP membership as a prerequisite
- You are working as a subcontractor to a defence prime contractor and customer requires DISP compliance
- You are an existing defence contractor with expiring DISP membership that must be renewed to maintain current work
- You handle or will handle classified defence information at PROTECTED, SECRET, or TOP SECRET levels
- You are a technology company, engineering firm, or professional services provider seeking to enter the defence market
- You attempted to prepare a DISP application internally but realised the complexity exceeds your security expertise
- You need to achieve DISP membership within a specific timeline to satisfy contract obligations or tender deadlines
- You need assistance implementing Essential Eight Maturity Level 2 to meet the 2026 DISP ICT/Cyber Security requirements
Why Choose Siege Cyber for DISP Consulting Services Australia
20+ years of information security and compliance expertise. Our Technical Director, Peter Stewart, has spent over two decades in cybersecurity roles including security assessments, penetration testing, and compliance consulting. We understand both the technical implementation and governance aspects of DISP requirements, allowing us to guide you through all four security domains effectively.
Deep expertise in Essential Eight Maturity Level 2 implementation. DISP's 2026 ICT/Cyber Security requirements mandate Essential Eight ML2, which is significantly more demanding than the previous "Top 4" approach. We have extensive experience implementing Essential Eight across Australian organisations and understand the ASD maturity model requirements, evidence expectations, and sustainable implementation approaches. We know how to achieve and maintain Essential Eight ML2 efficiently.
Understanding of Australian defence security requirements. Beyond technical controls, DISP requires understanding of the Defence Security Principles Framework (DSPF), Australian Government Protective Security Policy Framework (PSPF), and Defence Security Authority expectations. We understand what the DSA looks for during assessments, what documentation satisfies requirements, and what constitutes genuine governance versus superficial compliance. You get guidance grounded in defence industry security standards.
Practical approach to the four security domains. Technology companies typically have reasonable ICT security but weak governance and physical security programmes. We help you address all four DISP domains systematically, leveraging existing controls where possible and implementing new controls where required. We prioritise based on your timeline, classification level requirements, and available resources.
Proven track record with Australian defence contractors. We have guided defence primes, subcontractors, and aspiring defence industry participants through DISP membership application and compliance. You benefit from our experience with Defence Security Authority processes, common application issues, and what actually satisfies DSA assessment requirements versus what looks good on paper but fails scrutiny.
Frequently Asked Questions
What changed in DISP requirements for 2026?
In September 2024, DISP introduced significant cyber security updates effective for 2026. Previously, DISP required only four Essential Eight strategies ("Top 4": Application Whitelisting, Patching Applications, Restricting Administrative Privileges, Patching Operating Systems) at Maturity Level 1. From 2026, DISP requires all eight Essential Eight mitigation strategies at Maturity Level 2 across your entire corporate IT environment. This represents a substantial increase in requirements and implementation effort.
How long does DISP membership application take?
The Defence Security Authority processing timeline is approximately 90 days once your application is assigned to a processing officer. However, this assumes your application is complete and your security controls meet requirements when submitted. Most organisations require 6-12 months of preparation before submitting, depending on their starting security posture. Attempting to rush the preparation phase typically results in application rejection or extensive delays as the DSA requests additional information or remediation.
What classification level should we apply for?
DISP membership levels align with Australian Government security classifications: PROTECTED, SECRET, and TOP SECRET. The appropriate level depends on the classification of defence information you will handle. Most defence contractors start with PROTECTED level, which is sufficient for most non-classified or low-classification defence work. Higher classification levels require increasingly stringent security controls, longer processing times, and more extensive personnel security vetting. Start with the minimum classification level your defence work requires.
Do all employees need security clearances for DISP membership?
Not necessarily. Personnel security requirements depend on your DISP membership level and the specific defence work involved. At minimum, key personnel who will handle classified information need appropriate security clearances. Some contracts require all staff with access to defence systems or information to hold clearances, while others only require clearance for specific roles. We help you determine which personnel require vetting based on your DISP classification level and contract requirements.
Can we maintain DISP membership without full-time security staff?
Yes, though it requires established processes and periodic expert support. Many smaller defence contractors use a combination of internal IT staff managing day-to-day security operations, periodic security consultant support for quarterly or annual assessments, and external audit or vCISO services for governance oversight and annual security reporting. The key is establishing sustainable processes that maintain Essential Eight ML2 compliance and evidence collection without requiring full-time dedicated security personnel.
What happens if our DISP membership application is rejected?
The Defence Security Authority typically does not outright reject applications but rather identifies deficiencies requiring remediation before approval. Common issues include insufficient Essential Eight maturity, inadequate security governance documentation, gaps in personnel security vetting, or physical security deficiencies. If your application reveals deficiencies, you remediate the identified gaps and resubmit evidence. This extends the approval timeline but does not permanently disqualify you from DISP membership.
Does DISP membership expire and require renewal?
DISP membership itself does not have a fixed expiration date, but the Defence Security Authority requires annual security reports demonstrating ongoing compliance with membership requirements. Additionally, security clearances for personnel have defined validity periods requiring renewal. If your security posture degrades significantly or you fail to provide required annual reporting, your DISP membership can be suspended or revoked. Ongoing compliance is mandatory, not optional.
Ready to Achieve DISP Membership and Secure Defence Contracts?
DISP membership is not optional for Australian defence contractors. It is mandatory for bidding on defence tenders, working on defence projects, or handling classified defence information. The 2026 requirements are significantly more demanding than previous years, with Essential Eight Maturity Level 2 now required across your entire corporate IT environment. Attempting to navigate DISP compliance without expert guidance typically results in extended timelines, application delays, or outright rejection.
Book a free 30-minute consultation with our team. We will assess your current security posture across the four DISP domains, explain what Essential Eight ML2 implementation involves, and provide a realistic timeline to DISP membership approval. You will leave the call understanding exactly what is required and whether you can achieve DISP membership within your contract deadlines.
