Defence Industry Security

DISP Readiness Assessment

Q: How long does it take to achieve DISP membership?

The timeline depends on your current security maturity and the target DISP level. Level 1 readiness can typically be achieved in 6-10 weeks. Level 2 typically requires 12-16 weeks. Level 3 may require 16-24 weeks or longer. Defence processing time after application submission is additional.

Q: Do I need DISP membership to work with Defence?

Not always, but increasingly yes. If your contract involves access to sensitive information, security clearances, or Defence sites, DISP membership is required. Even for unclassified work, some prime contractors require DISP membership from their subcontractors.

Q: What is the difference between DISP and IRAP?

DISP is an organisational membership program certifying that your organisation meets Defence security requirements. IRAP is a system-level assessment evaluating whether a specific ICT system complies with the ISM. The two are separate processes.

Q: Can Tech Blaze do both DISP readiness and IRAP assessment?

Yes, with appropriate independence management. We can provide DISP readiness advisory services and, where a separate IRAP assessment is required, conduct that assessment or coordinate with another IRAP assessor.

Q: What does a DISP readiness engagement cost?

Engagement costs depend on the scope — your target DISP level, current security maturity, organisation size, and complexity. We provide fixed-price proposals following an initial scoping discussion.

Q: What happens after we achieve DISP membership?

DISP membership is ongoing. You must maintain compliance, report changes in circumstances, and participate in periodic Defence reviews and inspections. We offer retained advisory services to support ongoing compliance.

Achieve Defence Industry Security Program membership with confidence. Expert guidance from an endorsed IRAP Assessor with direct experience preparing Australian defence industry organisations for DISP compliance.

Request a Consultation

What Is the Defence Industry Security Program (DISP)?

The Defence Industry Security Program (DISP) is Defence's framework for managing security risks within the defence industry supply chain. Administered by the Defence Industry Security office, DISP establishes the security requirements that organisations must meet to work with Defence on contracts involving sensitive information, assets, and capabilities.

DISP membership is not optional for many defence contracts. If your organisation handles, stores, or processes Defence information at government security tiers or above, or if you require personnel with security clearances, DISP membership is a prerequisite. Increasingly, prime contractors are also requiring DISP membership from their subcontractors as a condition of supply chain participation.

The program is aligned to the Defence Security Principles Framework (DSPF), which maps to the Australian Government's Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM).

Why DISP Matters

Market Access
The Australian defence sector is one of the fastest-growing segments of the national economy. Organisations with DISP membership are positioned to access this market. Those without are locked out.
Trust Signal
DISP membership signals to Defence and prime contractors that your organisation takes security seriously and meets Defence expectations.
Security Foundation
DISP governance, personnel security, and information security requirements align closely with other Australian Government security frameworks, including the ISM and the Essential Eight.

DISP Membership Levels

DISP membership is structured across three levels, each with progressively more stringent security requirements. The level you need depends on the nature of the work and the sensitivity of the information you will handle.

Level 1

Governance

Entry point for DISP membership. Appropriate for organisations that need to demonstrate baseline security governance but do not require personnel security clearances or the ability to handle sensitive information.

Key Requirements

Documented security policy and security plan aligned to DSPF requirements, endorsed by senior leadership
Designated security officer responsible for managing security obligations under DISP
Security awareness program ensuring all staff understand their obligations
Established procedures for reporting security incidents to Defence
Baseline cyber security arrangements consistent with the Essential Eight and relevant ISM controls

Level 1 membership does not permit the organisation to handle sensitive information or sponsor personnel for security clearances.

Level 2

Governance & Personnel Security

Builds on Level 1 by adding personnel security obligations. Required for organisations whose staff need security clearances to perform Defence work.

Key Requirements

Formal procedures for managing the lifecycle of security clearances, including sponsorship and cessation
Pre-employment screening processes including identity verification and referee checks
Security briefing and debriefing procedures for personnel access
Foreign travel and contact reporting processes in accordance with DSPF requirements
Procedures for identifying and reporting personnel security concerns

Level 2 permits sponsoring personnel for security clearances and accessing sensitive information up to the authorised level.

Level 3

Governance, Personnel & Physical Security

The highest DISP membership level with the full suite of security obligations. Required for organisations that need to store, process, or discuss sensitive information on their own premises.

Key Requirements

Premises meeting Defence physical security requirements for sensitive information handling
Appropriate security containers for storage of sensitive hardcopy material
Designated security zones with access controls, visitor management, and signage
ICT systems processing sensitive information must comply with ISM requirements (typically requiring IRAP assessment)
Subject to physical security inspections by Defence for ongoing compliance verification

Level 3 permits storing, processing, and discussing sensitive information at your own premises.

The DISP Application Process

Applying for DISP membership involves a structured series of stages. Simple Level 1 applications may be processed within 4-8 weeks. Level 2 and Level 3 applications may take 3-6 months or longer.

1

Self-Assessment

Assess your current security posture against the requirements for your target DISP level and identify gaps.

2

Remediation

Address gaps — write policies, establish procedures, implement physical security upgrades, and deploy technical controls.

3

Application

Submit a DISP membership application through the Defence Industry Security portal with supporting evidence.

4

Assessment by Defence

The Defence Industry Security office reviews the application, assesses evidence, and may conduct interviews or site inspections.

5

Decision

Defence approves, conditionally approves, or refuses the application. Conditional approval may require addressing specific deficiencies.

6

Ongoing Compliance

Maintain compliance, report changes in circumstances, and participate in periodic reviews and inspections.

Our Approach to DISP Readiness

End-to-end DISP readiness services — from initial gap assessment through to application submission and ongoing compliance support. Structured, practical, and designed to get your organisation to DISP membership as efficiently as possible.

Phase 1

DISP Gap Assessment

Comprehensive assessment against your target DISP membership level.

Security policy, procedure, and governance document review against DSPF requirements
Information and cyber security assessment against ISM and Essential Eight
Personnel security process review (Level 2+) including clearance management
Physical security assessment (Level 3) including zone management and storage
Stakeholder interviews with security officer, IT, HR, and senior leadership

Deliverable: DISP Readiness Report with gap analysis, risk ratings, actionable recommendations, and estimated remediation timeline.

Phase 2

Remediation Planning & Support

Structured roadmap for achieving compliance — not just a gap list.

Tailored security governance framework development (policies, plans, procedures)
Security officer training on DISP obligations and Defence engagement protocols
Essential Eight uplift program targeting required maturity level
Personnel security procedures, templates, and reporting frameworks (Level 2+)
Physical security advisory and coordination with specialist providers (Level 3)
DSPF-aligned security awareness training program for all staff

Phase 3

Application Support

Preparation and quality assurance for your DISP membership application.

Compile all required supporting evidence and documentation
Pre-submission review to ensure the application meets Defence expectations
Prepare security officer and leadership for Defence interviews or inspections
Quality assurance checkpoint before submission

Phase 4

Ongoing Compliance Support

Retained advisory services to maintain your DISP membership post-approval.

Annual security policy and procedure reviews
Essential Eight maturity reassessments
Security awareness training refreshers
Support for Defence inspections and audits
Advisory on changes in DISP requirements or DSPF updates
Clearance management advisory for new sponsorships and cessations

The Connection Between DISP and IRAP

Many organisations pursuing DISP membership — particularly at Level 3 — also require an IRAP assessment. DISP Level 3 members who operate ICT systems processing sensitive information must demonstrate that those systems comply with the ISM. An IRAP assessment is the established mechanism for demonstrating that compliance.

As an endorsed IRAP Assessor, Tech Blaze is uniquely positioned to support organisations that need both DISP membership and IRAP assessment. We understand how these two frameworks interact and can coordinate both workstreams efficiently, reducing duplication of effort and ensuring consistency.

We maintain appropriate independence boundaries in relation to any subsequent IRAP assessment, following published guidance on assessor independence to ensure the integrity of the assessment process.

Common DISP + IRAP Scenarios

Sensitive ICT Systems
Networks or systems processing information at the Comprehensive level or above typically require IRAP assessment.
Cloud Environments
Hosting Defence information in a cloud environment may require IRAP assessment depending on the security tier.
System Changes
Significant changes to existing sensitive systems (upgrades, migrations, architectural changes) may require reassessment.

Learn About IRAP Services

Why Choose Tech Blaze for DISP Readiness?

A combination of technical depth, hands-on experience, and a direct engagement model that larger consultancies cannot match.

Endorsed IRAP Assessor

Our principal consultant is an endorsed IRAP Assessor with deep expertise in the ISM and Australian Government security frameworks. We understand how DISP connects to the broader security ecosystem, including the PSPF, the ISM, the Essential Eight, and the SOCI Act.

Direct Engagement Model

You work directly with the assessor. No account managers, no junior analysts, no handoffs. Faster decisions, clearer communication, and expert-level guidance in every interaction.

Deep Expertise

Our principal consultant holds CISA, CISM, Azure Security Engineer Associate, TOGAF, and SABSA certifications, with extensive experience across IT security, enterprise architecture, and government compliance.

Practical, Not Theoretical

Every deliverable is tailored to your organisation. Our gap assessments identify real gaps, our remediation plans are actionable, and our policies are written for your people to actually follow.

Frequently Asked Questions

Common questions about DISP membership and our readiness services.

How long does it take to achieve DISP membership?

Do I need DISP membership to work with Defence?

What is the difference between DISP and IRAP?

Can Tech Blaze do both DISP readiness and IRAP assessment?

What does a DISP readiness engagement cost?

What happens after we achieve DISP membership?

Ready to Get Started?

If your organisation needs DISP membership — or if you are unsure whether DISP applies to your situation — we are here to help. Our initial consultation is a straightforward, no-obligation discussion where we assess your requirements and provide an honest view of the effort involved.

You will speak directly with an endorsed IRAP Assessor from the first conversation. No sales pitch — just expert guidance tailored to your situation.

Contact Us IRAP Assessment Services