Does our business need to join DISP?

If you are, or want to become, a supplier to the Australian Department of Defence and you handle defence information or assets, DISP membership is likely required. The obligation is triggered by the nature of the work and the classification of information involved, not just the size of the contract. If you're uncertain whether DISP applies to you, we can help you assess that as a first step.

What security controls does DISP require?

DISP is tiered, the controls required depend on your membership tier (Associate, Baseline, NV1 or NV2). At minimum, DISP requires a security management framework, personnel security procedures, physical security controls, and an ICT security programme aligned to the ISM (Information Security Manual). Higher tiers require increasingly rigorous controls and may involve facility clearances and personnel vetting. We assess your target tier and design a programme around those specific requirements.

How long does DISP membership take to achieve?

Associate membership is achievable in two to four months for a business that's reasonably well-organised. Baseline and higher tiers require more extensive security programmes and can take six to twelve months or longer, depending on your starting point. The timeline is also affected by Defence's current processing queue. We give you a realistic estimate based on your target tier and current security posture.

Information Security · DISP Alignment · Defence Industry Security Program

DISP technical implementation. Done properly.

The Defence Industry Security Program (DISP) sets out security requirements for Australian businesses working with Defence. We specialise in the technical security control implementation: the ICT infrastructure, Essential Eight uplift, and system hardening that DISP membership requires. We deliver this in partnership with DeStefano and Co, a South Australian information security firm, who handle the advisory, compliance framework, and submission side of the engagement.

Book a Discovery Call What's included

Defence supply chain security

DISP membership is achievable.
We'll show you the path.

South Australia has a significant and growing defence industry. From ASC to SAAB to the many small and medium businesses in the supply chain, DISP membership is increasingly a commercial requirement, not just a regulatory one. We work with DeStefano and Co, a South Australian information security firm with deep DISP expertise, to deliver both the technical and advisory dimensions of DISP compliance.

Back to Information Security →

DISP Alignment

What we cover. And what our partner covers.

DISP is a tiered programme. The technical controls, ICT infrastructure, system hardening, Essential Eight alignment, are our scope. The security management framework, compliance advisory and DSV engagement are handled by our partner, DeStefano and Co. Together we cover the whole programme.

InterIntra: technical control implementation

Essential Eight: Uplift to the maturity level required by your DISP tier
Endpoint hardening: Patching, application control and credential protection
Network security: Segmentation, access management and security logging
Security training: Staff awareness for defence supply chain requirements
Incident detection: Technical detection and response procedures
Ongoing monitoring: Continuous evidence collection for compliance maintenance

In partnership with DeStefano and Co

The advisory, security management framework, physical security, personnel security and DSV submission side of DISP engagements is handled by our partner DeStefano and Co, a defence-focused security consultancy with specific DISP expertise and multiple industry awards. We focus on what we're best at; they focus on what they're best at.

DISP sits naturally alongside Essential Eight compliance, and many of the technical controls overlap. Our vCISO service can maintain the ICT security programme under a single ongoing engagement.

Our DISP engagement

How a joint engagement actually works.

DeStefano and Co lead the compliance advisory and DSV engagement. We lead the technical control implementation. In practice, the two workstreams run in parallel, one team doesn't wait for the other.

Stage 01

Technical gap assessment

In collaboration with DeStefano and Co, we assess your ICT environment against the technical controls required for your target DISP tier: Essential Eight maturity, network architecture, endpoint configuration. You receive a clear gap report and implementation plan before any work begins.

Stage 02

Technical control uplift

We implement the ICT security controls: Essential Eight hardening, network segmentation, access management, logging and monitoring, patch management. Hands-on implementation alongside the DeStefano team working on the framework and compliance side.

Stage 03

Ongoing maintenance

After membership is achieved, the technical controls need to be maintained. We provide ongoing monitoring, evidence collection, and ICT security management to keep your environment compliant. So membership isn't just achieved once, it stays current.

From the Blog

Related insights.

From the Blog

Why the Essential Eight Framework Matters for Your Business

Cyber threats are getting more sophisticated. The Essential Eight framework explained in plain English, no jargon.

Cameron Weymouth · 22 Oct 2025

Read the article →

From the Blog

Cybersecurity Compliance: A Growing Priority for Australian Financial Firms

Financial firms face mounting pressure to tighten cyber security. What ASIC's rules mean for AFS licensees.

Alex Macklin · 4 Dec 2025

Read the article →

Get Started

Ready to start the technical side of your DISP programme?

Talk to us about the ICT controls side of DISP. We'll assess where your environment sits, scope the technical uplift required, and coordinate with DeStefano and Co on the broader programme.

Book a Discovery Call