TL;DR
- DISP, the ISM, and the Essential Eight are related but distinct: DISP is the membership program, the ISM is the technical cyber security standard, and the Essential Eight is a prioritised set of mitigation strategies.
- From DISP Level 1 (PROTECTED) and above, ICT systems must be formally authorised under the ISM, and the Essential Eight must be implemented at Maturity Level 2.
- Organisations that address all three frameworks together — rather than sequentially — reduce total compliance effort by avoiding duplicated gap assessments and control implementations.
- The Essential Eight alone does not satisfy DISP. DISP requires ICT accreditation in accordance with the ISM, personnel security, physical security, and governance controls that go well beyond the Essential Eight.
- Start with a gap assessment mapped to all three frameworks before beginning your DISP application — it reveals shared controls and unique requirements in one pass.
- If your organisation already holds ISO 27001, you have a useful starting point, but significant DISP- and ISM-specific gaps will still need to be addressed.
DISP, the Information Security Manual (ISM), and the Essential Eight (E8), are three of the most important frameworks for Australian defence contractors — and they are far more interconnected than most organisations realise. Understanding how they align, where they diverge, and what to tackle first is the difference between an efficient compliance program and one that duplicates effort and misses critical gaps.
Why DISP, ISM, and Essential Eight are often tackled together in
Defence
Australian defence contractors navigating cyber compliance frequently encounter three frameworks in quick succession: DISP, the ISM, and the Essential Eight. Each comes with its own documentation, its own assessment process, and its own terminology — and the relationships between them are not always explained clearly in official guidance.
The result is that organisations often treat them as three separate projects, running parallel gap assessments and implementing controls in isolation. This is expensive, time-consuming, and unnecessary. When you understand how the three frameworks relate, you can build a single integrated compliance program that satisfies all three simultaneously.
How each framework differs
DISP: the membership program
The Defence Industry Security Program (DISP) is managed by the Defence Industry Security Branch (DISB), part of the Australian Department of Defence. It is a membership program, not a technical standard. DISP defines security expectations across four domains — governance, personnel, physical, and information and cyber security — and assesses whether organisations meet those expectations to work with Defence.
DISP references other standards (including the ISM and the Essential Eight) rather than defining every technical control itself. This is important: DISP compliance cannot be achieved by implementing cyber security controls alone.
The ISM: the technical cyber security standard
The Information Security Manual (ISM) is published and maintained by the Australian Signals Directorate (ASD). It is a detailed cyber security framework that defines how Australian government entities and their partners should protect information and communications technology systems.
The ISM is structured around cyber security principles and guidelines covering governance, personnel, physical security, and technical security controls. Under DISP, alignment with ISM is required through a formal system assessment and authorisation.
For DISP members at Level 1 (PROTECTED) and above, ICT systems that receive, store, or process classified Defence information must be formally authorised under the ISM. This is not optional — it is a mandatory DISP requirement.
The Essential Eight: the baseline mitigation strategies
The Essential Eight is also published by the ASD and defines eight prioritised cyber security mitigation strategies designed to protect organisations against the most common cyber threats. The strategies are:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication (MFA)
- Regular backups
The Essential Eight is assessed against four maturity levels (0 through 3). For all DISP levels, Maturity Level 2 is required as a minimum.
How DISP, ISM, and Essential Eight relate to each other
The hierarchy
The three frameworks sit in a hierarchy:
- DISP sets the overall security membership requirements for defence industry organisations, referencing the ISM and Essential Eight as inputs to its ICT security domain
- The ISM provides the detailed technical security controls that DISP's ICT accreditation requirements draw from
- The Essential Eight is a specific, prioritised subset of controls drawn from ASD's broader guidance, and is mandated by DISP from all membership levels
In practice: if your ICT systems are authorised under the ISM at the correct classification level, and your Essential Eight implementation meets Maturity Level 2, you will have satisfied DISP's ICT security domain requirements — provided the other three DISP domains (governance, personnel, physical) are also addressed.
Where frameworks overlap
There is substantial overlap between the ISM and the Essential Eight. The Essential Eight mitigation strategies are derived from ASD’s broader Strategies to Mitigate Cyber Security Incidents and map directly to controls within the ISM. An organisation that has implemented the Essential Eight at Maturity Level 2 has completed a meaningful portion of the ISM’s most critical cyber security controls.
However, the ISM contains hundreds of controls beyond the Essential Eight. ICT system assessment under the ISM requires a systematic review of all applicable controls at the relevant system classification and operational context, not just the Essential Eight.
Where frameworks diverge
The key divergence is authorisation. Implementing the Essential Eight controls is not the same as having your ICT systems formally assessed and authorised under the ISM. Authorisation typically requires:
- A formal risk assessment of the ICT system
- An evidence package documenting control implementation
- A formal assessment of applicable ISM controls
- Formal approval by an authorising officer
Many organisations have implemented the Essential Eight but have not completed ICT system authorisation. From a DISP perspective, this means their ICT security domain requirements may not yet be fully met.
What to prepare first: a practical sequencing guide
For organisations preparing for DISP that are also working toward ISM authorisation and Essential Eight compliance, the most efficient sequence is:
Step 1: Run a unified gap assessment
Before starting any implementation work, run a gap assessment mapped simultaneously against all three frameworks. This surfaces shared controls (work done once satisfies all three), DISP-only requirements (governance, personnel, physical), and ISM-specific controls that go beyond the Essential Eight.
6clicks' Hailey AI can perform this crosswalk automatically, mapping your existing controls and policies against DISP, ISM, Essential Eight, PSPF, and ISO 27001 simultaneously — eliminating manual mapping effort.
Step 2: Implement the Essential Eight to Maturity Level 2
Start with the Essential Eight. These controls are the highest-priority cyber security mitigations and directly satisfy a mandatory DISP requirement. Implementing them early also builds the foundation for ISM authorisation, since they represent the core of the ISM's most critical controls.
Step 3: Complete ISM control implementation for your target classification level
Once the Essential Eight is in place, extend your control implementation to cover the remaining applicable ISM controls at your target classification level. Use your gap assessment outputs to prioritise remediation.
Step 4: Prepare your ICT accreditation evidence package
Begin building the documentation required for ICT accreditation under the ISM: system security plans, risk assessments, control implementation evidence, and incident response documentation. The 6clicks Content Library includes prebuilt ISM and DISP assessment templates that accelerate this process significantly.
Step 5: Address DISP-specific domains in parallel
While ICT work is underway, address the governance, personnel, and physical security domains in parallel. These do not depend on ICT accreditation and can be progressed simultaneously. Waiting until ICT work is complete before starting the other domains is a common source of unnecessary delay.
Step 6: Submit your DISP application with full evidence
With ICT accreditation complete and all four DISP domains addressed, you have the evidence base to submit a strong DISP membership application.
How 6clicks supports DISP, ISM, and Essential Eight compliance
together
6clicks is purpose-built to support organisations managing compliance across all three frameworks in a single platform. It is IRAP-assessed at the ISM Official: Sensitive level, ISO/IEC 27001-certified, and a DISP member — making it one of the few platforms that has itself completed the accreditation journey it helps customers navigate.
Key capabilities include:
- Hailey AI for automated multi-framework gap analysis, crosswalking DISP, ISM, Essential Eight, PSPF, and ISO 27001 simultaneously
- Built-in Content Library with preloaded DISP, ISM, and Essential Eight control sets, assessment templates, and policy libraries
- ICT accreditation evidence management for building and maintaining DISP-ready documentation packages
- Essential Eight maturity tracking with control testing, remediation tracking, and real-time maturity level reporting
- Integrated risk and compliance modules linking risks, controls, issues, and evidence across all three frameworks
- Hub & Spoke architecture for advisors and managed service providers (MSPs) managing multiple Defence clients across DISP, ISM, and Essential Eight programs
Frequently asked questions about DISP, ISM, and Essential Eight
Next step
If your organisation is preparing for DISP membership and wants to align your ISM and Essential Eight compliance program at the same time, start with a unified gap assessment.
Download the 6clicks DISP expert guide to understand how DISP, ISM, and Essential Eight interact across membership levels, or book a demo to see how 6clicks maps your existing controls against all three frameworks automatically.
