Defence Industry DISP

DISP Membership: Level 1 vs Level 2 — Which Do You Actually Need?

Tech Blaze Consulting | December 2025 | 12 min read

The Defence Industry Security Program (DISP) is the gateway to working with the Australian Department of Defence on contracts that involve access to classified or security-sensitive information, assets, or capabilities. Every organisation that wants to participate in the Australian defence supply chain at anything above the most basic level needs DISP membership — but choosing the right level is a decision that many organisations get wrong, in both directions.

Over-scoping — applying for a higher DISP level than your contracts require — wastes time, money, and management attention on security controls you do not need. Under-scoping — applying for too low a level — means you hit a ceiling the moment a contract requires access to PROTECTED information, forcing an upgrade process that can take months.

This article provides a practical comparison of DISP Level 1 and Level 2 (the two levels relevant to the vast majority of defence industry participants), explains the security requirements at each level, and helps you determine which level aligns with your actual contract needs.

Understanding the DISP Level Structure

The DISP operates across four membership levels, each corresponding to increasingly sensitive activities and information classifications:

  • Level 1 — Access to OFFICIAL and OFFICIAL:Sensitive information. The entry point for most defence suppliers.
  • Level 2 — Access to PROTECTED information. Required for contracts involving classified material at the PROTECTED level.
  • Level 3 — Access to SECRET information. Significantly more demanding security requirements, including specific physical security zones.
  • Level 4 — Access to TOP SECRET information. The highest level, with the most stringent requirements across all security domains.

In practice, Level 1 and Level 2 cover the vast majority of defence industry participants. Level 3 and Level 4 are relevant to a smaller number of entities working on highly sensitive programs. This article focuses on the Level 1 vs Level 2 decision, which is the most common question I encounter when advising defence industry clients.

Important clarification: DISP membership levels are not a progression. You do not need Level 1 before applying for Level 2. You apply for the level that matches your contract requirements. If your contracts require PROTECTED access from day one, apply for Level 2 directly.

Level 1 vs Level 2: Detailed Comparison

The table below compares the key requirements and capabilities at each level.

Dimension Level 1 Level 2
Classification access OFFICIAL and OFFICIAL:Sensitive information only Up to and including PROTECTED information
Contract types Defence contracts involving unclassified or OFFICIAL:Sensitive material, supply chain participation, non-sensitive defence projects Contracts requiring access to PROTECTED material, classified briefings, sensitive defence programs, and projects requiring personnel security clearances
Personnel security Baseline Vetting (employment suitability) for personnel accessing OFFICIAL:Sensitive material. No security clearance requirement. Baseline Vetting as a minimum. Negative Vetting 1 (NV1) or higher clearances for personnel accessing PROTECTED material. Sponsor clearance applications through AGSVA.
ICT security Demonstrate basic ICT security controls. Essential Eight at Maturity Level 2 is the expected baseline. Self-assessment may be acceptable. Robust ICT security controls. Essential Eight at Maturity Level 2 minimum, with ML3 increasingly expected. Independent assessment (IRAP) typically required for systems processing PROTECTED information.
Physical security Standard commercial security measures. No specific zone requirements. Security zones compliant with PSPF requirements for handling PROTECTED material. May require a Security Zone 3 or higher, depending on the nature of the material.
Governance Documented security policy. Designated security officer. Basic security awareness for staff. Comprehensive security governance framework. Company Security Officer (CSO) with defined authority. Security awareness program. Incident response plan. Regular security reviews.
Audit and assurance Self-assessment against DISP requirements. Defence may conduct compliance checks. Defence conducts security assessments. IRAP assessment may be required for ICT systems. Regular compliance monitoring by the Defence Industry Security Office (DISO).

Cost and Effort: What Each Level Actually Requires

Level 1: The Entry Point

Level 1 is designed to be achievable for small and medium enterprises entering the defence supply chain. The security requirements are proportionate to the sensitivity of the information being accessed (OFFICIAL:Sensitive at most).

Typical effort and cost considerations:

  • ICT security: Essential Eight at ML2 is the expected baseline. If you are already running a reasonably mature IT environment, you may be close. A formal E8 assessment costs $15,000-$30,000 depending on environment complexity.
  • Governance documentation: You need a security policy, incident response plan, and staff awareness program. For an organisation starting from scratch, budget 2-4 weeks of effort to develop these.
  • Personnel: Baseline Vetting for relevant staff. This is a background check, not a security clearance. Processing time is typically 4-8 weeks through AGSVA.
  • Physical security: Standard commercial premises security. No specific government-mandated zone requirements.

Level 2: The Step Up

Level 2 is a material increase in cost and complexity. The requirements reflect the sensitivity of PROTECTED information, which is the highest classification below SECRET.

Typical additional effort and cost over Level 1:

  • ICT security: An IRAP assessment is typically required for systems processing PROTECTED information. This is a significant investment: $40,000-$100,000+ depending on system complexity. Essential Eight at ML2 minimum, with ML3 increasingly the expectation for PROTECTED systems.
  • Personnel security clearances: NV1 clearances for personnel accessing PROTECTED material. Processing time is currently 3-6 months through AGSVA, and your organisation must be approved as a clearance sponsor.
  • Physical security: Security zones that meet PSPF requirements for PROTECTED material. This may require purpose-built secure rooms, access control systems, intrusion detection, and approved storage containers. Fit-out costs range from $50,000 to $300,000+ depending on existing facilities.
  • Governance: Significantly more mature governance framework. A designated Company Security Officer with defined authority and training. Regular security reviews and compliance reporting.

Cost reality check: For a small-to-medium enterprise, the total cost of achieving Level 2 membership (including physical security fit-out, IRAP assessment, clearance processing, and governance development) can range from $150,000 to $500,000. This is a significant investment that must be justified by the value of the contracts you intend to pursue. Do the business case before you start the application.

How to Determine Which Level You Need

The answer depends entirely on the contracts you are pursuing or expect to pursue. Here is a practical decision framework:

Start with Level 1 if:

Your current and near-term contracts involve OFFICIAL or OFFICIAL:Sensitive information only. You are a supply chain participant providing goods or services that do not require access to classified material. You are entering the defence market and building a track record before pursuing more sensitive work.

Apply for Level 2 if:

Your contracts explicitly require access to PROTECTED information. You are a prime contractor or key subcontractor on a program that processes classified material. The Request for Tender (RFT) specifies DISP Level 2 or PROTECTED information handling as a requirement. You need to sponsor personnel for NV1 security clearances.

Upgrade from Level 1 to Level 2 if:

You have won or are bidding on a contract that requires PROTECTED access. A prime contractor has indicated that your role in the supply chain will require PROTECTED information handling. Your business strategy involves moving into more sensitive defence work.

Common Mistakes

Over-scoping: Applying for Level 2 "just in case"

Some organisations apply for Level 2 because they think it makes them more competitive or because a business development contact suggested it. Level 2 carries real cost and ongoing compliance obligations. If your contracts do not require it, you are spending money and management attention on capabilities you do not need. Level 1 membership does not make you a second-class defence supplier — it makes you right-sized for your current work.

Under-scoping: Applying for Level 1 when contracts require Level 2

The opposite mistake is applying for Level 1 to minimise cost, then discovering that a key contract requires PROTECTED access. Upgrading from Level 1 to Level 2 is not instant — it involves physical security upgrades, IRAP assessment, clearance sponsorship, and DISO assessment. This can take 6 to 12 months, during which you cannot fulfil the contract requirement.

Treating DISP as a one-time exercise

DISP membership is not a certificate you receive and file away. It carries ongoing compliance obligations: maintaining security controls, keeping governance documentation current, ensuring personnel clearances remain valid, and cooperating with DISO assessments. Organisations that achieve membership and then let their security posture degrade risk losing their membership — and with it, their ability to work on defence contracts.

Ignoring the ICT security requirements

Many applicants focus on physical security and personnel clearances and underestimate the ICT security requirements. At Level 2, your ICT systems processing PROTECTED information will likely require an IRAP assessment. This is not a checkbox — it is a rigorous, control-by-control evaluation against the ISM. Start ICT security remediation early in the application process, not after DISO flags it.

The Application Process and Timeline

The DISP application process involves several stages:

  1. Application submission — Complete the DISP application through the Defence Industry Security Portal. This involves providing company details, the level of membership sought, and the nature of the defence work.
  2. Eligibility assessment — Defence reviews your application to confirm eligibility. For Level 2, this includes confirming that you have a legitimate need for PROTECTED access.
  3. Security assessment — DISO assesses your security posture against the requirements for the requested level. This may involve on-site assessment, document review, and interviews with key personnel.
  4. Gap remediation — If DISO identifies gaps, you are given an opportunity to remediate them. The time this takes depends on the nature of the gaps.
  5. Membership approval — Once DISO is satisfied that you meet the requirements, membership is granted.

Timeline expectations: Level 1 membership can typically be achieved in 3 to 6 months, assuming your security posture is reasonably mature. Level 2 membership takes 6 to 12 months due to the additional requirements for physical security, IRAP assessment, and clearance processing. If you are building a secure facility from scratch, add 3 to 6 months for fit-out. Start the process well before you need the membership for a specific contract.

Tech Blaze Consulting

Canberra, ACT

About the Author

Tech Blaze Consulting is a Canberra-based cybersecurity consultancy specialising in IRAP assessments, Essential Eight maturity assessments, and security advisory for defence industry clients. Founded by an endorsed IRAP assessor with over 20 years of GRC experience.

When you engage Tech Blaze, you work directly with the assessor — no account managers, no junior analysts, no handoffs.

Learn More About Us Back to All Articles

Related Services

This article is general guidance only and does not constitute formal advice on DISP membership requirements. Requirements may change — consult Defence and DISO for the most current guidance.

Preparing for DISP Membership?

Whether you need a readiness assessment, Essential Eight maturity validation, or IRAP assessment for your PROTECTED systems, we can help you achieve DISP membership on the right timeline.

Get in Touch