If your business wants to work with the Australian Department of Defence — whether as a prime contractor, subcontractor, or supplier — you almost certainly need DISP accreditation. Without it, you cannot access classified information, sensitive Defence assets, or participate in most significant Defence procurement opportunities.
This guide explains what DISP accreditation involves, how the four security domains work, what the membership tiers mean in practice, and what an IT provider needs to do to support your DISP journey. We have also added a section specifically on AI deployment — a topic most DISP guides do not yet cover, but one that is rapidly becoming critical for defence industry businesses adopting AI tools while remaining compliant with their DISP obligations.
The Defence Industry Security Program is the Australian Government’s framework for managing security risks across the defence supply chain. It exists because Defence contracts often involve classified information, sensitive technologies, and national security assets that cannot be exposed to unvetted parties.
DISP membership signals to Defence and to prime contractors that your organisation has implemented structured controls across governance, personnel, physical, and cyber security — and that those controls are subject to ongoing oversight. Without DISP membership, your business cannot be granted facility clearances, personnel clearances, or access to classified Defence information.
For Australian businesses in defence-adjacent industries — engineering, IT services, logistics, manufacturing, professional services — DISP is increasingly a prerequisite for tender eligibility, not just a differentiator.
Governance requirements establish how security decisions are made, who is accountable, and how security performance is monitored across the organisation. DISP requires businesses to have documented security policies and procedures, a formal risk management plan, a designated Security Officer (who is an Australian citizen with appropriate clearance), and reporting and auditing mechanisms that demonstrate controls are operating as intended.
The Security Officer role is critical — this person is the primary point of contact with Defence and is personally accountable for your organisation’s DISP compliance. They must hold or be eligible for the security clearance level required by your DISP membership tier.
Personnel security focuses on verifying that employees who access Defence information or assets are appropriately vetted and trustworthy. Requirements include pre-employment screening for all staff who will access classified information, security clearance sponsorship and management for relevant personnel, ongoing suitability assessments, and clear procedures for managing changes in personnel (new hires, role changes, terminations).
The level of clearance required depends on your DISP membership tier. Entry and Baseline tiers typically require Baseline clearances. NV1 and NV2 tiers require Negative Vetting clearances, which involve more intensive background investigation by the Australian Government Security Vetting Agency (AGSVA).
Physical security requirements govern how your facilities protect classified information and assets. This includes physical access controls to areas where classified work is performed, visitor management procedures, secure storage for classified materials, alarm systems and monitoring, and in some cases construction standards for secure rooms (known as Secure Working Areas or SWAs).
The physical requirements scale with the classification level of work your business performs. Entry-level DISP membership has relatively modest physical requirements, while NV2-level work may require purpose-built facilities meeting Defence-prescribed construction standards.
This is the domain most relevant to IT providers and the one where specialist IT support has the greatest impact. DISP cybersecurity requirements align with the ASD Essential Eight, the Protective Security Policy Framework (PSPF), and the Information Security Manual (ISM).
Core cybersecurity requirements include multi-factor authentication, application control, patching within prescribed timeframes, privileged access management, endpoint detection and response, email security controls, secure configuration of systems handling Defence information, and documented incident response procedures.
For businesses handling classified information at higher tiers, additional requirements apply — including network segmentation, data loss prevention, and in some cases accreditation of ICT systems against the ISM. For a broader view of the cyber baseline that DISP cybersecurity sits on top of, see our piece on cybersecurity for Australian SMBs in 2026.
| Tier | What it enables | Clearance level | Typical applicant |
|---|---|---|---|
| Entry | Access to protected-level information and basic Defence industry participation | Baseline | Suppliers, subcontractors with limited sensitive exposure |
| Baseline | Protected and Secret-level information; broader Defence contract eligibility | Baseline / NV1 | Engineering, IT, and professional services firms on Defence programs |
| Baseline+ | As Baseline with additional physical or cyber requirements for specific contract types | NV1 | Businesses with recurring sensitive Defence work |
| NV1 | Top Secret information and sensitive capability programs | NV1 | Prime contractors and key subcontractors on classified programs |
| NV2 | Highest classification levels and most sensitive national security programs | NV2 | Tier 1 defence primes and critical infrastructure contractors |
DISP’s cybersecurity requirements are not a standalone framework — they reference and build on existing Australian Government standards. The relationship looks like this:
The ASD Essential Eight forms the technical baseline. DISP Entry and Baseline membership requires controls broadly consistent with Essential Eight Maturity Level 1 to 2. For businesses already working toward Essential Eight compliance, DISP cybersecurity requirements are largely covered — with some additional documentation and governance requirements specific to Defence. We cover the broader Essential Eight implementation in our Essential 8 compliance guide.
The Information Security Manual (ISM) published by the Australian Signals Directorate provides the detailed control requirements for protecting classified information systems. At higher DISP tiers, some ICT systems may need to be accredited against ISM controls.
The Protective Security Policy Framework (PSPF) governs how government entities and their contractors handle classified information. DISP membership brings your business within the scope of PSPF obligations relevant to the classification level of information you handle.
For businesses also pursuing ISO 27001 certification, the governance and management system work overlaps significantly with DISP requirements. Many businesses pursue both in parallel — ISO 27001 for commercial credibility and DISP for Defence access.
This is the section most DISP guides do not yet cover, and the one that is creating the most operational risk for defence industry businesses in 2026. AI tools are everywhere — your team is almost certainly using Copilot, ChatGPT, Claude, or similar tools, whether you have formally approved it or not. For a DISP-accredited business, the question is not whether AI will be deployed, but how to deploy it in a way that does not breach your DISP obligations.
There are five operational realities defence industry businesses need to understand:
Microsoft 365 Copilot, ChatGPT, Anthropic’s Claude, Google Gemini — these are public cloud AI services. Even with Australian region residency configured, the data handling, model training pipelines, and operational footprint of these services is not aligned with the protective security requirements that apply to classified Defence information. For protected, secret, and higher-classified workloads, public cloud AI is off the table.
This does not mean your DISP-accredited business cannot use AI at all. It means the AI tools used for classified or sensitive Defence work need to be deployed in environments under your direct control — typically self-hosted on infrastructure you operate, with the AI models running locally rather than calling out to external services.
Open-source large language models (Llama, Mistral, others) can be self-hosted on private infrastructure for the specific use cases where public cloud AI is not acceptable. This was prohibitively expensive in 2023; it is now feasible for businesses with the right scale and the right requirements. For DISP-accredited businesses handling protected or secret information, self-hosted AI inference is increasingly the right architectural pattern. We covered this in our hybrid cloud piece — defence supply chain is one of the few SMB scenarios where hybrid cloud is legitimately justified.
Self-hosted AI requires dedicated GPU infrastructure, model management tooling, and the expertise to operate it. This is not the kind of thing most defence industry businesses build themselves — it is the kind of thing they outsource to an IT provider with the relevant capability.
If your staff are pasting Defence-related information into ChatGPT or similar tools to get faster results, you have a DISP breach in progress. The data has left your controlled environment, may be retained by the AI provider, and is potentially being used to train future models. For DISP-accredited businesses, this is not a hypothetical risk — it is happening across the defence industry in 2026 and the regulator is starting to notice.
The fix is technical and policy-based. Technical controls (web filtering, endpoint controls, DLP tooling) prevent unsanctioned AI tool usage on devices that handle Defence information. Policy and training make clear which AI tools are approved and for which information classifications. Monitoring and reporting catches violations before they become DISP reportable incidents.
The AI governance landscape in Australia includes ISO 42001, the NIST AI Risk Management Framework, and Australia’s Guidance for AI Adoption (GfAA). DISP-accredited businesses should be applying one of these frameworks to their AI deployment, mapped explicitly to their DISP cybersecurity and information handling requirements. Vague answers about “responsible AI” are not sufficient — the framework needs to be named, documented, and operationally implemented.
Defence procurement is beginning to include questions about contractors’ AI deployment posture — how they handle AI in their own operations, how they protect Defence information from AI-related leakage, what governance frameworks they apply. DISP-accredited businesses that can answer these questions specifically and credibly are advantaged in procurement; those that cannot are increasingly at risk of being excluded from tenders.
The DISP application is submitted through the Defence Industry Security Office (DISO) portal. The process typically involves:
Initial self-assessment — your business assesses its current security posture against DISP requirements across all four domains and identifies gaps.
Security Officer appointment — a suitable person is nominated as Security Officer. They must be an Australian citizen, meet the clearance requirements for the tier sought, and complete DISP Security Officer training.
Documentation development — security policies, procedures, risk management plans, and physical security assessments are developed and documented to DISP standards.
Application submission and assessment — DISO reviews the application, may conduct site visits, and assesses whether your controls meet the requirements for the tier sought.
Ongoing compliance — once granted, DISP membership requires annual self-assessments, notification of security incidents, and ongoing management of personnel clearances and physical security controls.
Timeline varies significantly by tier and applicant complexity. Entry-level membership can be achieved in two to four months for well-prepared organisations. Higher tiers involving facility clearances and personnel clearances can take six to twelve months or more, partly dependent on AGSVA clearance processing times.
IT providers play a critical role in the cybersecurity domain of DISP — often the domain where businesses have the most gaps. A managed IT provider with DISP experience can assist with:
The AI deployment capability is the newest part of this picture and the one most IT providers are not yet equipped to deliver. If your IT provider cannot speak specifically to self-hosted AI for defence workloads, shadow AI controls, and AI governance framework implementation, they are operating at a 2024 standard while DISP-accredited businesses now need 2026 capability.
Epic IT supports Perth businesses pursuing DISP accreditation through our managed cybersecurity services, Essential Eight implementation, and AI deployment and governance practice. Our team understands the intersection of DISP requirements, Essential Eight, ISM, and the emerging AI considerations — and can help you build a security programme that satisfies all of them without duplicating effort.
Contact us on 1300 EPIC IT to discuss your DISP accreditation requirements and get a clear picture of where your business stands.
Epic IT helps Perth defence industry businesses build the cybersecurity foundations required for DISP membership — from Essential Eight implementation through to ISM alignment, AI deployment architecture, and ongoing compliance management. Book a free assessment to understand where your business stands and what the path to DISP looks like.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
