To work with the Department of Defence you need DISP membership, and on the cyber side that now means meeting the full Essential Eight at Maturity Level 2. We help Australian defence businesses get there, support the Cyber Security Questionnaire, and address foreign ownership and data sovereignty along the way.
Book a DISP Readiness Assessment
New to this? Our complete DISP accreditation guide explains the whole program. This page covers the cyber security side and how we help. See also Essential Eight, ISO 27001, and SMB1001, or our wider cyber security services.
DISP requires the full Essential Eight at Maturity Level 2 for every membership level
Governance, personnel, physical, and information and cyber security
Foreign ownership, control and influence is assessed as part of every DISP application
Epic IT delivering cybersecurity for Australian businesses
The Defence Industry Security Program (DISP) is the Australian Government’s framework for managing security across the defence supply chain, administered by Defence under the Defence Security Principles Framework. If your business wants to work with the Department of Defence on contracts involving classified or sensitive information, you need DISP membership.
DISP is assessed across four security domains: governance, personnel security, physical security, and information and cyber security. There are four membership levels, from Entry Level through to Level 3, aligned to the classification of information you handle, and your governance level always matches the highest level you hold in any other domain.
On the cyber side, DISP now requires the full Essential Eight at Maturity Level 2 as the minimum for every membership level, including Entry Level. Defence assesses it through the Cyber Security Questionnaire, and it wants evidence the controls are operating, not just a statement that they exist. Our DISP guide covers the full picture, and our Essential Eight page covers the controls themselves.
Membership requires all four domains to be addressed to the standard for the level you are seeking. A gap in any one can hold up the whole application.
Documented security policies, a risk management plan, and a designated Security Officer who is accountable for your DISP compliance and is the point of contact with Defence.
Workforce screening to the Australian Standard, and security clearances where your level requires them. Entry Level cannot sponsor clearances; Level 1 and above can.
Controls over the facilities where defence information and assets are handled, scaling from modest requirements at Entry Level to certified secure zones at higher levels.
The domain where most businesses have the largest gaps, and where an MSP helps most. This is the full Essential Eight at Maturity Level 2, assessed through the Cyber Security Questionnaire, plus the documentation and evidence behind it.
The Cyber Security Questionnaire is built around the Essential Eight at Maturity Level 2, assessed on the ICT systems you use to deal with Defence. There are two practical routes to get there, and the right one depends on your business.
Uplift your existing environment. If your corporate environment is Australian-held and can carry the controls, we uplift it to Essential Eight ML2 and build the evidence. This suits Australian-owned businesses without foreign ownership complications.
An isolated, Australian-held environment. Where uplifting the whole environment is slow or costly, or where foreign ownership, control and influence (FOCI) and data sovereignty are in play, we stand up a separate environment scoped only to the defence work, held entirely in Australia and held to ML2. It answers the sovereignty question by design and keeps the assessable boundary small. We then run it through our managed cyber security service so the maturity holds over time.
Defence grants DISP membership, not us. What we do is get the cyber domain ready, support your submission, and hold the standard once you are in.
DISP is increasingly a prerequisite for tender eligibility across the defence supply chain, not just a differentiator.
Businesses bidding for or delivering Defence contracts that involve classified or sensitive information, assets, or capabilities.
Engineering, IT services, logistics, manufacturing, and professional services firms moving into defence work for the first time.
Local arms of overseas companies that need to work with Defence but face foreign ownership and data sovereignty scrutiny. An isolated, Australian-held environment is often the cleanest answer.
Organisations that have discovered a contract or panel requires DISP membership and need a realistic, evidence-backed path to readiness.
Businesses already in DISP that now need to meet the full Essential Eight at Maturity Level 2 after the recent uplift, or that need help keeping evidence current for the Annual Security Report.
Businesses scaling into defence work as AUKUS and sovereign capability programs expand the supply chain, where DISP membership is now the price of entry rather than a nice-to-have.
Two issues are reshaping defence cyber security faster than most guides admit, and both sit inside your DISP obligations.
Foreign ownership, control and influence is declared and assessed as part of every DISP application, and government technology procurement now has its own FOCI requirements. Holding the defence environment entirely in Australia, separate from a foreign-managed corporate fleet, addresses this by design rather than as a retrofit.
Staff using public AI tools on defence information is a live compliance risk, and Defence is starting to ask how contractors handle it. We help you set the controls and governance, drawing on our AI governance practice, so AI use does not undermine your DISP standing.
DISP, the Defence Industry Security Program, is the Australian Government’s framework for managing security across the defence supply chain. It is administered by Defence under the Defence Security Principles Framework and covers four domains: governance, personnel security, physical security, and information and cyber security. Any business working with the Department of Defence on classified or sensitive work needs DISP membership. Our DISP guide covers it in full.
On the cyber side, DISP requires the full Essential Eight at Maturity Level 2 as the minimum for every membership level, including Entry Level. Defence assesses this through the Cyber Security Questionnaire, which is aligned to ML2, and then conducts a point-in-time assessment. You need the controls operating and the evidence to back them, across the ICT systems you use to correspond with Defence.
Yes. Since the September 2024 uplift, the full Essential Eight at Maturity Level 2 is the mandated minimum for all DISP members, including Entry Level applicants who must plan and implement to ML2. Higher classification contracts can call for Maturity Level 3 in specific areas. Our Essential Eight page covers the controls, and our ML2 guide covers that level in detail.
FOCI stands for foreign ownership, control and influence. Defence requires a FOCI declaration as part of every DISP application, because foreign control can create national security and data sovereignty risks. For an Australian subsidiary of an overseas company, standing up a separate, Australian-held environment scoped to the defence work is often the cleanest way to reduce that exposure, rather than trying to carve out a globally managed corporate fleet.
Yes, particularly with the information and cyber security domain, where most businesses have the largest gaps. We get you to Essential Eight ML2, build the evidence, support the Cyber Security Questionnaire, develop the incident response plan, and hold the environment to ML2 over time. Defence grants the membership itself, so the governance, personnel and physical domains still need input from your leadership and security team alongside our cyber work.
Entry Level membership is often achievable in two to four months for a well-prepared business, while higher levels involving facility and personnel clearances can take six to twelve months or more. On cost, a scoped isolated ML2 environment for a small team is typically a one-off build in the low tens of thousands plus a managed monthly fee, while uplifting an existing environment varies with its size and current maturity. We give you firm figures after the readiness assessment.
