DISP Accreditation: A Complete Guide for Defence Businesses

If your business wants to work with the Australian Department of Defence — whether as a prime contractor, subcontractor, or supplier — you almost certainly need DISP accreditation. Without it, you cannot access classified information, sensitive Defence assets, or participate in most significant Defence procurement opportunities.

This guide explains what DISP accreditation involves, how the four security domains work, what the membership tiers mean in practice, and what an IT provider needs to do to support your DISP journey.

What is DISP and why does it exist?

The Defence Industry Security Program is the Australian Government’s framework for managing security risks across the defence supply chain. It exists because Defence contracts often involve classified information, sensitive technologies, and national security assets that cannot be exposed to unvetted parties.

DISP membership signals to Defence and to prime contractors that your organisation has implemented structured controls across governance, personnel, physical, and cyber security — and that those controls are subject to ongoing oversight. Without DISP membership, your business cannot be granted facility clearances, personnel clearances, or access to classified Defence information.

For Australian businesses in defence-adjacent industries — engineering, IT services, logistics, manufacturing, professional services — DISP is increasingly a prerequisite for tender eligibility, not just a differentiator.

The four DISP security domains

1. Governance

Governance requirements establish how security decisions are made, who is accountable, and how security performance is monitored across the organisation. DISP requires businesses to have documented security policies and procedures, a formal risk management plan, a designated Security Officer (who is an Australian citizen with appropriate clearance), and reporting and auditing mechanisms that demonstrate controls are operating as intended.

The Security Officer role is critical — this person is the primary point of contact with Defence and is personally accountable for your organisation’s DISP compliance. They must hold or be eligible for the security clearance level required by your DISP membership tier.

2. Personnel security

Personnel security focuses on verifying that employees who access Defence information or assets are appropriately vetted and trustworthy. Requirements include pre-employment screening for all staff who will access classified information, security clearance sponsorship and management for relevant personnel, ongoing suitability assessments, and clear procedures for managing changes in personnel (new hires, role changes, terminations).

The level of clearance required depends on your DISP membership tier. Entry and Baseline tiers typically require Baseline clearances. NV1 and NV2 tiers require Negative Vetting clearances, which involve more intensive background investigation by the Australian Government Security Vetting Agency (AGSVA).

3. Physical security

Physical security requirements govern how your facilities protect classified information and assets. This includes physical access controls to areas where classified work is performed, visitor management procedures, secure storage for classified materials, alarm systems and monitoring, and in some cases construction standards for secure rooms (known as Secure Working Areas or SWAs).

The physical requirements scale with the classification level of work your business performs. Entry-level DISP membership has relatively modest physical requirements, while NV2-level work may require purpose-built facilities meeting Defence-prescribed construction standards.

4. Information and cybersecurity

This is the domain most relevant to IT providers and the one where specialist IT support has the greatest impact. DISP cybersecurity requirements align with the ASD Essential Eight, the Protective Security Policy Framework (PSPF), and the Information Security Manual (ISM).

Core cybersecurity requirements include multi-factor authentication, application control, patching within prescribed timeframes, privileged access management, endpoint detection and response, email security controls, secure configuration of systems handling Defence information, and documented incident response procedures.

For businesses handling classified information at higher tiers, additional requirements apply — including network segmentation, data loss prevention, and in some cases accreditation of ICT systems against the ISM.

DISP membership tiers — what each one means

How DISP relates to Essential Eight and other frameworks

DISP’s cybersecurity requirements are not a standalone framework — they reference and build on existing Australian Government standards. The relationship looks like this:

The ASD Essential Eight forms the technical baseline. DISP Entry and Baseline membership requires controls broadly consistent with Essential Eight Maturity Level 1 to 2. For businesses already working toward Essential Eight compliance, DISP cybersecurity requirements are largely covered — with some additional documentation and governance requirements specific to Defence.

The Information Security Manual (ISM) published by the Australian Signals Directorate provides the detailed control requirements for protecting classified information systems. At higher DISP tiers, some ICT systems may need to be accredited against ISM controls.

The Protective Security Policy Framework (PSPF) governs how government entities and their contractors handle classified information. DISP membership brings your business within the scope of PSPF obligations relevant to the classification level of information you handle.

For businesses also pursuing ISO 27001 certification, the governance and management system work overlaps significantly with DISP requirements. Many businesses pursue both in parallel — ISO 27001 for commercial credibility and DISP for Defence access.

What the DISP application process involves

The DISP application is submitted through the Defence Industry Security Office (DISO) portal. The process typically involves:

Initial self-assessment — your business assesses its current security posture against DISP requirements across all four domains and identifies gaps.

Security Officer appointment — a suitable person is nominated as Security Officer. They must be an Australian citizen, meet the clearance requirements for the tier sought, and complete DISP Security Officer training.

Documentation development — security policies, procedures, risk management plans, and physical security assessments are developed and documented to DISP standards.

Application submission and assessment — DISO reviews the application, may conduct site visits, and assesses whether your controls meet the requirements for the tier sought.

Ongoing compliance — once granted, DISP membership requires annual self-assessments, notification of security incidents, and ongoing management of personnel clearances and physical security controls.

Timeline varies significantly by tier and applicant complexity. Entry-level membership can be achieved in two to four months for well-prepared organisations. Higher tiers involving facility clearances and personnel clearances can take six to twelve months or more, partly dependent on AGSVA clearance processing times.

The role of an IT provider in DISP accreditation

IT providers play a critical role in the cybersecurity domain of DISP — often the domain where businesses have the most gaps. A managed IT provider with DISP experience can assist with:

• Gap analysis against DISP cybersecurity requirements and Essential Eight controls
• Implementation of required technical controls — MFA, EDR, application control, patching, privileged access management
• Documentation of cybersecurity policies, incident response procedures, and system configurations
• Ongoing monitoring and compliance reporting to support annual DISP self-assessments
• Advice on ISM alignment for businesses at higher membership tiers

Epic IT supports Perth businesses pursuing DISP accreditation through our managed cybersecurity services and Essential Eight implementation. Our team understands the intersection of DISP requirements, Essential Eight, and ISM — and can help you build a security programme that satisfies all three without duplicating effort.

Contact us on 1300 EPIC IT to discuss your DISP accreditation requirements and get a clear picture of where your business stands.

Frequently asked questions

What is DISP accreditation and who needs it?

DISP (Defence Industry Security Program) accreditation is required for any Australian business seeking to work with the Department of Defence on contracts involving classified or sensitive information, assets, or capabilities. Without DISP membership, businesses cannot be granted facility clearances, personnel clearances, or access to classified Defence information.

What are the four domains of DISP?

DISP covers four security domains: Governance (policies, accountability, risk management), Personnel security (vetting, clearances, suitability), Physical security (facility controls, secure storage, access management), and Information and cybersecurity (Essential Eight alignment, ISM controls, incident response).

How does DISP relate to the Essential Eight?

DISP’s cybersecurity requirements align closely with the ASD Essential Eight. Entry and Baseline DISP membership requires controls broadly consistent with Essential Eight Maturity Level 1 to 2. Businesses that have already implemented Essential Eight controls are well positioned for DISP cybersecurity compliance, with some additional documentation and governance work required.

How long does DISP accreditation take?

Entry-level DISP membership can be achieved in two to four months for well-prepared organisations. Higher tiers requiring facility clearances and AGSVA-processed personnel clearances can take six to twelve months or more. Timeline depends heavily on the tier sought, existing security maturity, and AGSVA clearance processing times.

What is a DISP Security Officer?

The Security Officer is the person within your organisation who is the primary point of accountability for DISP compliance. They must be an Australian citizen, hold or be eligible for the clearance level required by your membership tier, and complete DISP Security Officer training. They are your organisation’s official point of contact with the Defence Industry Security Office.

Can an MSP help with DISP accreditation?

Yes. A managed IT provider with defence sector experience can assist with the cybersecurity domain of DISP — gap analysis, Essential Eight implementation, documentation of security policies and procedures, and ongoing compliance monitoring. The governance, personnel, and physical security domains require input from your own team and potentially specialist security consultants, but the IT component is a significant part of the overall accreditation effort.

Does DISP membership need to be renewed?

DISP membership is an ongoing obligation, not a one-time certification. It requires annual self-assessments, ongoing management of personnel clearances, notification of security incidents, and continuous compliance with security policies. Changes to your organisation — new staff, new facilities, new contract types — may require notification to DISO and updates to your security documentation.