The 4 DISP domains: what they cover and where teams miss the mark

TL;DR

 

• DISP assesses four domains: security governance, personnel security, physical security, and information and cyber security. All four are assessed, not just ICT.
• The most common under-scoping error is treating DISP as a cyber security project and neglecting governance documentation, personnel vetting records, and physical access controls.
• From DISP Level 1 (PROTECTED) and above, ICT systems must be formally accredited and aligned to the Information Security Manual (ISM) and Essential Eight (E8) at Maturity Level 2.
• Organisations with existing ISO 27001 or Essential Eight programs have a headstart, but significant DISP-specific gaps typically remain.
• If your current compliance program does not have documented security registers for all four domains, you are likely under-scoped.
• Use a structured gap assessment mapped to all four DISP domains before beginning your formal application.

Most organisations preparing for Defence Industry Security Program (DISP) membership focus almost entirely on cyber security and then discover that three other domains, each with their own documentation, controls, and audit evidence requirements, are equally assessed. Here is a clear breakdown of what each DISP domain requires and where compliance programs most commonly come up short. 

Why the four-domain model matters

The Department of Defence does not assess DISP membership applicants on cyber security alone. DISP is built around four interdependent security domains that together determine whether an organisation can be trusted with Defence information, people, facilities, and systems.

This four-domain model reflects a real-world security truth: a perfectly secured network means very little if personnel are not vetted, physical access is uncontrolled, or leadership has no documented accountability for security outcomes. DISP requires all four to be addressed in a coordinated, evidence-based way.

Domain 1: Security governance

Security governance is the foundation of DISP compliance. It establishes that security is not just an IT function but an organisational responsibility with documented policies, clear ownership, and visible leadership accountability.

What DISP requires

• A documented security framework aligned with the Defence Security Principles Framework (DSPF)
• Designated security roles, including an appointed security officer
• Regular security reviews and reporting to leadership
• A documented process for managing and reporting security incidents
• Evidence that the board or executive leadership actively oversees security outcomes
  
  

Where organisations under-scope this domain

The most frequent governance gap is the absence of a formalised security management plan that references DISP specifically. Organisations often have generic information security policies but lack the Defence-specific documentation that DISP assessors look for. Another common gap is insufficient audit trail evidence showing that security reviews actually happen, as distinct from just being planned.

Domain 2: Personnel security

Personnel security ensures that everyone with access to Defence information is appropriately vetted, trained, and monitored. This domain is frequently underestimated by organisations that assume it only applies to employees with high security clearances.

What DISP requires

• Background checks and pre-employment screening for personnel with access to Defence information
• Security clearances at the appropriate level for the membership tier (mandatory from Level 1 / PROTECTED)
• Security awareness and insider-threat training for all relevant staff
• Processes for managing access changes, departures, and security incidents involving personnel
• Ongoing monitoring obligations for cleared personnel
  
  

Where organisations under-scope this domain

Many organisations focus clearance management on a small number of senior staff and overlook the broader population of employees, contractors, and third parties with incidental access to Defence information. Insider-threat awareness training is also frequently missing or ad hoc rather than formally documented and recurring. Maintaining clearance records and evidence of ongoing training obligations is an audit requirement that organisations often discover only late in their preparation.

Domain 3: Physical security

Physical security controls protect Defence-related facilities, equipment, and materials from unauthorised access, theft, and interference. This domain is often treated as a facilities management question rather than a formal security compliance obligation.

What DISP requires

• Defined and documented security zones for areas where Defence information or assets are handled
• Physical access controls: locks, alarms, surveillance, and restricted access zones
• Visitor management processes for any facility handling Defence information
• Procedures for handling, storing, and disposing of classified material in physical form
• Evidence of regular physical security reviews and any remediation undertaken
  
  

Where organisations under-scope this domain

Organisations that work primarily in shared office environments or access Defence information remotely often assume physical security requirements are limited to traditional secure facilities. In practice, DISP still requires documented and proportionate physical security controls for any location where Defence information is accessed, handled, or stored. That can include shared offices, temporary workspaces, and in some cases home offices, depending on the sensitivity of the information, contractual requirements, and the controls in place.

Domain 4: Information and cyber security

Information and cyber security is typically the most familiar domain for technology and security teams. However, DISP introduces requirements that go beyond standard cyber security practice, particularly at Level 1 and above.

What DISP requires

• Compliance with the Information Security Manual (ISM) published by the Australian Signals Directorate (ASD)
• Implementation of the Essential Eight (E8) mitigation strategies at Maturity Level 2
• Formal accreditation of information and communications technology (ICT) systems used to receive, store, or process Defence classified information
• Encryption of classified data in transit and at rest
• Ongoing monitoring, vulnerability management, and cyber incident reporting under Defence guidelines
• Documentation of the information lifecycle: how Defence data is created, stored, transmitted, and destroyed
  
  

Where organisations under-scope this domain

The most significant ICT gap for DISP applicants is the gap between having a functional security program and having a formally accredited one. ICT accreditation is a documented, structured process that requires evidence packages, risk assessments, and formal approval. Organisations that have implemented the Essential Eight controls but have not gone through accreditation are not compliant from a DISP perspective.

A secondary gap is the ISM itself. The ISM is a detailed and regularly updated document with hundreds of controls. Mapping an existing security program against ISM and identifying gaps requires systematic effort, and manual approaches are time-consuming and error-prone.

How the four domains interconnect

DISP assessors evaluate all four domains together. A strong ICT posture does not compensate for weak personnel security. Excellent governance documentation does not offset an absence of physical access controls. The four domains are assessed as a whole, and deficiencies in any one domain can delay or prevent membership.

Organisations that structure their DISP preparation around all four domains from the outset, rather than addressing them sequentially, consistently achieve faster time to membership and fewer findings at assessment.

How 6clicks supports all four DISP domains

6clicks is designed to help organisations manage DISP compliance across all four domains in a single platform, rather than managing governance, personnel, physical, and ICT evidence in separate tools.

Key capabilities by domain:

• Security governance: prebuilt DISP-aligned policies, control sets, and assessment templates via the Content Library, automated reporting, and audit trail generation
• Personnel security: personnel security registers, training obligation tracking, and access review workflows
• Physical security: customisable registers for physical security zones, visitor management, and asset controls
• Information and cyber security: ISM and Essential Eight control mapping via Hailey AI, automated gap analysis, ICT accreditation evidence management, and incident tracking

6clicks is IRAP-assessed at the ISM Official: Sensitive level, ISO/IEC 27001 certified, and a DISP member. Its Australian Government instance is hosted within the Canberra Data Centre.

Frequently asked questions about DISP domains

Next step

If your current compliance program is not structured around all four DISP domains, start with a gap assessment before your formal application.

Download the 6clicks DISP expert guide to see the full requirements by domain and membership level, or book a demo to see how 6clicks maps your existing controls against DISP, ISM, and Essential Eight automatically.