GET DISP READY —
FASTER. CHEAPER.
WITHOUT CONSULTANTS.

Processing times vary significantly based on the completeness of the application and the membership level sought. A well-prepared Baseline application typically takes three to six months. NV1 and above applications can take six to twelve months or longer, particularly where personnel clearance processing is on the critical path. Incomplete applications are returned and restart the clock. Working with an experienced DISP consultant to prepare a complete, compliant application from the outset is the most effective way to minimise processing time.

Yes. DISP membership is open to Australian businesses of all sizes, including sole traders and small-to-medium enterprises (SMEs). DISO has specific guidance for SMEs recognising that the compliance burden must be proportionate to the size and risk profile of the organisation. Many of the most successful DISP members are SMEs that have invested in the right security foundations and positioned themselves as trusted suppliers to Defence primes.

The Annual Security Report is a mandatory submission to DISO that all DISP members must complete each year. It requires the Security Officer to attest to the organisation's ongoing compliance with DISP requirements across all four security domains, report any security incidents that occurred during the year, and confirm that mandatory security awareness training has been completed by all relevant personnel. ASRs are due within 90 days of the member's anniversary date. Failure to submit on time is a compliance breach and can trigger a DISO audit.

The Chief Security Officer (CSO) is the senior executive accountable for the organisation's overall security posture and DISP compliance. The CSO must hold a security clearance appropriate to the membership level and is the ultimate authority on all security matters within the organisation. The Security Officer (SO) is responsible for day-to-day security operations and is the primary point of contact with DISO for administrative matters. Both roles require AGSVA security clearances and must be nominated in the DISP application.

DISP membership applies to the specific facilities, systems, and personnel nominated in the application. It does not automatically cover all of a company's operations. If your organisation performs both Defence and commercial work, you will need to establish appropriate separation between the two — particularly for information systems and physical access. DISO will assess whether your proposed security arrangements adequately protect Defence information from inadvertent disclosure to non-cleared personnel or systems.

DISP members are required to report security incidents to DISO within prescribed timeframes. The reporting obligation applies to a broad range of incidents including unauthorised access to classified information, loss or theft of classified material, cyber security incidents affecting systems used for Defence work, and personnel security concerns. Prompt, transparent reporting is viewed favourably by DISO. Attempting to conceal or minimise incidents is treated as a serious compliance failure and can result in suspension or cancellation of membership.

Yes. DISO can suspend or cancel DISP membership for a range of reasons including failure to maintain the required security standards, non-submission of the Annual Security Report, failure to notify DISO of material changes to the business, serious or repeated security incidents, and loss of key cleared personnel without adequate succession planning. Cancellation of DISP membership immediately disqualifies the organisation from holding active Defence contracts that require membership, which can have severe commercial consequences.

DISPulse is purpose-built software for DISP compliance management. It automates the Annual Security Report process, maps your control evidence to DSPF requirements and the Essential Eight, tracks personnel clearance expiry dates, manages incident reporting workflows, and provides real-time visibility of your compliance posture across all four DISP security domains. For organisations managing DISP compliance manually through spreadsheets and email, DISPulse typically reduces compliance overhead by 60–80% while significantly improving the quality and completeness of evidence maintained for DISO audits.

A Maturity Action Plan (MAP) is a structured remediation document issued by DISO when a DISP applicant or existing member cannot yet demonstrate full compliance with the required security standards. The MAP identifies each gap, specifies the remediation action required, assigns a target completion date, and establishes a review schedule. For new applicants, a MAP allows DISO to grant conditional membership while the organisation works through its uplift program — meaning you do not need to be fully compliant before your application is accepted. For existing members, a MAP is typically issued following an Ongoing Suitability Assessment (OSA) or Deep Dive Audit (DDA) that identifies deficiencies. Failure to meet MAP milestones can result in membership suspension.

Yes, but foreign ownership introduces significant complexity. DISO assesses Foreign Ownership, Control, and Influence (FOCI) as part of every DISP application. If a company is majority foreign-owned or subject to foreign control — including through board composition, shareholder agreements, or financial dependency — DISO will conduct a more detailed assessment to determine whether the foreign interest creates an unacceptable security risk. In some cases, DISO may require structural mitigation measures such as a Security Control Agreement (SCA), a Special Security Agreement (SSA), or the appointment of an Outside Director or Security Committee to insulate the Australian operations from foreign influence.

The DISP Member Portal is the secure online platform through which DISP members and applicants manage their relationship with DISO. It is used to submit new membership applications, lodge Annual Security Reports (ASRs), report security incidents, notify DISO of material changes to the business, manage personnel clearance sponsorships, and communicate with DISO case officers. The portal replaced the previous paper-based and email submission processes and is now the primary channel for all DISP administrative activity. Access is restricted to nominated Chief Security Officers (CSOs) and Security Officers (SOs). DISPulse integrates with the portal workflow, allowing members to prepare and review their ASR content within the platform before final submission.

DISO does not charge a fee for DISP membership itself — there is no government application fee or annual membership levy. However, the cost of achieving and maintaining DISP compliance is substantial. The primary costs are: engaging an IRAP assessor to conduct the Essential Eight assessment (typically $15,000–$40,000 depending on scope and complexity); preparing the Security Plan and supporting documentation; implementing the required physical security infrastructure; and the ongoing operational cost of maintaining compliance. For most SMEs, the total cost of achieving Baseline DISP membership ranges from $30,000 to $100,000, depending on the starting maturity of the organisation.

At Baseline, you can access PROTECTED and below information, which covers the vast majority of defence supply chain work. Your ICT systems must meet Essential Eight ML2, your key personnel must hold Baseline security clearances, and your facilities must meet the physical security requirements for PROTECTED-level work. At NV1, you can access SECRET information — which requires Negative Vetting Level 1 clearances and facilities configured as Secure Working Areas (SWAs). NV2 and PV tiers are reserved for organisations with the most sensitive national security roles and require correspondingly elevated infrastructure, personnel clearances, and governance arrangements.

An IRAP (Information Security Registered Assessors Program) assessor is an individual certified by the Australian Cyber Security Centre (ACSC) to conduct independent assessments of information security controls against government frameworks, including the Essential Eight. For DISP applications, an IRAP assessment of your Essential Eight posture is required as part of the Entry Level Assessment (ELA). The assessment must be current — DISO typically requires it to be no more than 12 months old at the time of application. IRAP assessors are independent of DISO and Serious Defence; you engage one directly. Serious Defence can recommend accredited IRAP assessors and help you prepare your environment to maximise the outcome of the assessment.

A Deep Dive Audit (DDA) is a comprehensive compliance review conducted by DISO on existing DISP members. Unlike the annual ASR self-attestation, a DDA involves DISO officers visiting your facilities, reviewing your security documentation, interviewing key personnel, and testing the effectiveness of your security controls. DDAs are triggered by a range of factors including significant changes to your business, security incidents, intelligence concerns, or as part of DISO's routine audit programme. A DDA finding that identifies material non-compliance can result in a Maturity Action Plan, membership suspension, or in serious cases, cancellation of membership.