Small and medium enterprises competing for Department of Defence contracts hit a hard wall when faced with the Defence Industry Security Program (DISP). Winning the contract is only half the battle. Unless you secure the right level of DISP membership, you cannot handle Defence data, access their facilities, or participate in the supply chain.
The program enforces strict governance, personnel, physical, and cyber security standards. For a small business, adopting these controls feels disproportionate to your current operations. Yet, DISP compliance is an unavoidable entry fee for Defence work. We regularly see small contractors stumble by underestimating the implementation effort or over-engineering their controls.
Here is what actually happens during the DISP compliance process, from selecting your membership level to surviving the ongoing audits.
Key DISP Membership Categories and Requirements
Your DISP membership tier dictates your security obligations. Do not aim higher than necessary. Choose your level based entirely on the specific requirements of the Defence contracts you intend to pursue.
Entry Level is the baseline for supplying non-classified goods and services. It requires foundational security policies and the appointment of a Chief Security Officer (CSO) and Security Officer (SO). These can be the same person in a small enterprise, but they must hold Australian citizenship and undergo vetting.
Entry Level establishes your security culture without demanding heavy capital expenditure.
Level 1 (OFFICIAL/OFFICIAL: Sensitive) introduces stringent technical controls. At this tier, you must implement the ACSC Essential Eight.
For many SMEs, this is the breaking point. Implementing application control and enforcing multifactor authentication across legacy systems will rigorously test your IT budget.
Level 2 (PROTECTED) and Level 3 (SECRET) scale these requirements exponentially. Level 2 mandates an IRAP assessment for your ICT systems and complex physical security controls for your facilities. Only pursue these tiers if you have a contract that explicitly demands them and funds the compliance overhead.
Practical advice: Upgrading your membership later is far easier than maintaining a PROTECTED environment without the revenue to support it. Start small.
Preparing Your Business for DISP Certification
Certification requires proving your security posture operates as documented. Defence conducts a thorough review of your security policies and evidence before granting membership.
Your first priority is appointing your CSO and SO. They require baseline security clearances.
The clearance process currently takes between 3 to 6 months. Submit these applications immediately. They will bottleneck your entire DISP application if you delay.
Next, develop your Security Policies and Plans. Do not copy generic templates off the internet. Defence assessors spot templated responses instantly.
Your Security Risk Management Plan (SRMP) must reflect the actual risks to your specific facilities and systems. If you run a small machine shop, your physical security risks look very different from a software development house. Document what you actually do. If you need help tailoring your approach, consider our DISP readiness assessment to map out a realistic path forward.