If you run a South Australian business and you have ever looked seriously at defence work, you have probably come across four letters that keep appearing in tender documents: DISP. It tends to arrive without much explanation, usually as a line item in the eligibility criteria, and it can feel like a closed door if you do not know what sits behind it. The good news is that it is a well-defined program, the requirements are knowable, and plenty of small and medium businesses get through it every year.
This is a plain-English walk through what DISP is, what it actually assesses, and a sensible way to approach it. I am writing it because the questions we get asked most often are the same handful, and they are easy to answer once you see how the program is structured.
What DISP is and why it matters
DISP stands for the Defence Industry Security Program. It is run by the Australian Department of Defence, and it sets out the security standards a business is expected to meet in order to work with Defence or to operate inside the defence supply chain. The idea is straightforward enough: Defence needs confidence that the organisations handling its information and assets can protect them properly, so it has a structured program that businesses join to demonstrate that.
What has changed over the last few years is how often DISP membership appears as a gate rather than a nice-to-have. More tenders and contracts now name it as a condition of eligibility, which means that for a growing number of businesses, you simply cannot bid for the work without it. That includes plenty of SMEs who are not prime contractors but sit somewhere in the supply chain, supplying components, services, or specialist expertise to the larger defence primes. If your growth plans point towards defence work, DISP is likely to become part of the conversation sooner rather than later.
The four domains DISP assesses
DISP looks at security across four domains. It helps to see all four up front, because the program is broader than just IT.
- Governance. The security management framework that sits over your business: policies, responsibilities, risk management, and the structures that show security is actually being run rather than assumed.
- Personnel. How you manage the people side of security, including vetting, clearances where they apply, and the procedures around staff who handle sensitive information.
- Physical security. The controls that protect your premises and the physical assets and information held there, such as access control and secure storage.
- ICT and Cyber security. The technical controls protecting your systems and data, aligned to the Information Security Manual. This is the domain where most SMEs find the heaviest technical lift, because it is the most hands-on and the most detailed.
A common misconception is that DISP is purely a cyber exercise. It is not. Governance, personnel, and physical security each carry their own requirements. But for most businesses the ICT and cyber domain is where the bulk of the build work lands, which is exactly why it pays to plan for it early.
The membership levels
DISP is tiered. There are four membership levels: Entry Level, Level 1, Level 2 and Level 3. The requirements scale up as you move through them, in line with the sensitivity of the work and the classification of information you will handle. A business doing lower-sensitivity work has a lighter set of obligations than one handling highly classified material, and the program is designed to reflect that rather than apply a single standard to everyone.
Most businesses begin at Entry Level or Level 1. That is usually the right place to start, because your level should match what you will actually be handling, not where you might end up in five years. Picking the correct target level at the outset matters, since it shapes everything that follows. Aim too high and you take on requirements you do not yet need. Aim too low and you may find yourself short of what a contract demands. Clarifying the right level for your situation is one of the first things worth nailing down.
Where the real work is: the technical controls
For the ICT and cyber domain, the practical news is that the controls map closely to a framework many Australian businesses already know: the ACSC Essential Eight. If you have already done Essential Eight uplift work, you are not starting from scratch, because that work feeds directly into DISP readiness.
In concrete terms, the technical side covers the kind of controls that show up again and again in good security practice:
- Multi-factor authentication across email and remote access.
- Patching of operating systems and applications on a sensible cadence.
- Application control, so only approved software runs.
- Restricting administrative privileges to the people who genuinely need them.
- System hardening of endpoints and infrastructure.
- Security logging and monitoring, so events are captured and can be reviewed.
- Backups that are tested and able to be relied on.
This is the part InterIntra builds. We focus on the technical control implementation: the ICT infrastructure, the Essential Eight uplift, the endpoint and network hardening, and the logging and monitoring that the program expects. It is detailed work, but it is well-trodden ground, and it is the same discipline that underpins solid security regardless of whether Defence is in the picture.
Why a joint approach works
Here is the honest picture of how DISP gets delivered. The program spans two quite different kinds of work. On one side there is security consulting: the governance framework, personnel security, physical security, and the membership application itself. On the other there is hands-on technical implementation: building and hardening the systems. These call for different expertise, and trying to stretch one team across both rarely serves a client well.
That is why we run DISP as a joint engagement. InterIntra delivers the ICT and cyber technical controls, and we partner with De Stefano & Co, a specialist defence security consultancy, who lead the membership process and the governance, personnel, and physical domains. De Stefano guides the application and the non-technical side; we build and harden the technical environment. The two teams work in parallel rather than in sequence, so you get the membership guidance and the technical build from one coordinated engagement rather than having to assemble it yourself. You can read more about how that works on our DISP alignment service page.
What to expect on timing
The technical preparation typically takes around 12 weeks, assuming the work is well coordinated and your business can provide the information the teams need without long delays. That figure covers the uplift and the build, not the entire journey to membership.
The important caveat is that the total time to membership also depends on Defence's own processing, which sits outside any provider's control. We cannot promise a Defence approval date, and you should be wary of anyone who does. What we can say is that the earlier you start the technical groundwork, the smoother the whole thing runs. If a tender with a DISP requirement is on the horizon, begin sooner than feels necessary, because the lead time is real and it is far easier to be ready and waiting than to be racing a deadline.
A realistic close
DISP can look intimidating from the outside, but it is achievable for SMEs with the right help. The program is structured, the requirements are knowable, and the technical domain in particular is built on controls that are good practice anyway. If there is one thing worth taking from this, it is that the earlier you start the technical groundwork, the smoother the path to membership. If you are weighing up defence work and want to understand where your environment sits today, our cyber security team is a sensible place to begin.