DISP is the security gateway for Australia's defence industry, and more contractors are required to hold membership than many realise. If your organisation handles Defence information, provides security services, or is named in a Defence contract, DISP membership is not optional. Here is what it means, who it applies to, and what being DISP-ready actually requires.TL;DR
Australia's defence industry supports 63,500 jobs and contributes nearly A$12 billion to the economy, and security expectations are rising in step with that growth.
Membership is mandatory for organisations handling classified information, weapons or munitions, security services for Defence facilities, or where required by contract.
DISP covers four domains: security governance, personnel security, physical security, and information and cyber security.
If your organisation touches the Defence supply chain, check whether a contract or tender requires DISP before you bid.
Why DISP exists and why it matters now
Australia's defence sector is expanding rapidly. Investments under AUKUS and the growth of the domestic defence industrial base mean more private organisations are engaging with the Department of Defence than ever before. With that expansion comes a sharp increase in security risk across the supply chain.
The Defence Industry Security Program (DISP) is the government’s response. Administered by the Department of Defence, DISP gives Defence a structured, auditable way to assess whether its private-sector partners can be trusted with sensitive information, systems, and assets.
DISP sits within the broader Defence Security Principles Framework (DSPF) and is not a one-off certification. It requires organisations to demonstrate ongoing security maturity across four domains, with requirements that scale based on the sensitivity of the information handled.
What is DISP?
DISP is a membership program for Australian businesses that work with, or seek to work with, the Department of Defence. It provides a standardised framework for assessing and managing security risk across the private sector partners Defence relies on.
Membership signals to Defence, prime contractors, and partners that your organisation has the right governance, personnel, physical, and cyber security controls in place to protect sensitive Defence information and assets. In practice, it is increasingly a prerequisite for winning and retaining Defence contracts.
DISP is not a tick-box certification you achieve once and forget. It is an ongoing assurance program with annual reporting obligations, periodic reviews, and requirements that increase in complexity as your membership level rises. Organisations that treat it as a one-time exercise typically struggle to maintain compliance, as DISP requires continuous assurance, regular reporting, and sustained security maturity across all domains.
Who needs DISP membership?
DISP membership is mandatory for any Australian business that meets one or more of the following criteria:
- Handles classified Defence information (at any classification level)
- Works with weapons, munitions, or controlled technology
- Provides security services for Defence facilities or projects
- Is required by contract or tender to hold DISP membership
Beyond mandatory cases, DISP membership is also strongly recommended for organisations that:
- Are bidding on Defence contracts where security assurance is evaluated
- Work as subcontractors to DISP-member primes
- Manage information technology systems that store or process Defence data
DISP is open to any Australian business, from small consultancies to major defence contractors. The entry point is often more accessible than assumed, with the Entry Level designed for organisations that do not require access to classified information but still handle sensitive, unclassified material.
What does "DISP-ready" actually mean?
"DISP-ready" is a term that gets used loosely, but in practice it means your organisation can demonstrate measurable security maturity across all four DISP domains before your formal assessment:
- Security governance — Documented security policies, clear ownership, and leadership accountability for protecting Defence information
- Personnel security — Background checks, security clearances (where required), and insider-threat awareness processes for anyone with access to Defence information
- Physical security — Access controls, restricted zones, and physical safeguards for facilities and equipment used in Defence-related work
- Information and cyber security — Secure information and communications technology (ICT) systems, encryption, threat monitoring, and compliance with the Information Security Manual (ISM) and the Essential Eight (E8) at the required maturity level
Being DISP-ready means you have these controls documented, implemented, and auditable, not just planned.
The membership levels
DISP has four membership levels that reflect the sensitivity of Defence information your organisation handles:
- Entry level — For organisations handling sensitive but unclassified material; baseline security practices required
- Level 1 (PROTECTED) — Requires facility and ICT accreditation, security-cleared personnel, and formal risk management
- Level 2 (SECRET) — Enhanced accreditation, higher clearances, and advanced documentation across all domains
- Level 3 (TOP SECRET) — The highest tier; full facility and ICT certification, compartmented information handling, and continuous compliance reporting
As levels increase, so do the time, resources, and expertise required to achieve and maintain compliance.
How 6clicks helps organisations become DISP-ready
Preparing for DISP membership requires mapping your current security posture against four domains, identifying gaps, implementing controls, and maintaining evidence to support ongoing assurance activities and reporting obligations. 6clicks is purpose-built to support that process.
6clicks is IRAP (Information Security Registered Assessors Program) assessed, ISO/IEC 27001 certified, and a DISP member. Its Australian Government instance is hosted within the Canberra Data Centre at the ISM Official: Sensitive and PROTECTED classification levels.
Key capabilities for DISP preparation include:
- Built-in Content Library with preloaded DISP, ISM, and Essential Eight assessment templates and control sets
- Hailey AI for automated gap analysis, framework crosswalking, and control mapping across DISP, ISM, PSPF, and ISO 27001
- Purpose-built security registers for personnel, incidents, travel, and security training data aligned to DISP requirements
- Integrated risk and compliance modules for risk assessment, control testing, and real-time compliance posture reporting
- DISP Suitability Assessment template for structured audit preparation and exportable reporting
- Hub & Spoke architecture for advisors and managed service providers (MSPs) managing multiple Defence clients
Frequently asked questions about DISP
Next step
If your organisation works with, or is seeking to work with, the Australian Department of Defence, start by assessing your current security posture against DISP requirements. Download the 6clicks DISP expert guide to understand the full requirements by domain and membership level, or book a demo to see how 6clicks can accelerate your DISP readiness.
