Who needs DISP membership?

Australian businesses that want to access Defence contracts, information or assets generally need DISP membership at a level matched to the sensitivity of the work. Specific requirements are set out in tenders and contracts.

How does the Essential Eight relate to DISP?

The DISP cyber security domain draws on ASD guidance including the Essential Eight and the Information Security Manual. Meeting an appropriate Essential Eight maturity level helps satisfy DISP cyber expectations.

Are backups part of DISP requirements?

Yes, indirectly but importantly. The cyber domain expects the kind of regular, retained, restoration-tested and isolated backups described in the Essential Eight, so that a member can recover information after an incident.

What is DISP? The Defence Industry Security Program explained

If your business wants to work with the Australian Department of Defence, sooner or later you will meet DISP. It is the program that sets the security expectations for Defence suppliers. Here is what it covers, how membership is graded, and where backup and recovery fit in.

Key takeaways

DISP is the Defence Industry Security Program, administered by the Department of Defence.
It spans four security domains: governance, personnel, physical and cyber (ICT).
Membership is offered at entry level plus Levels 1 to 3, scaled to the sensitivity of the work.
The cyber domain expects Essential Eight alignment, including regular, recoverable backups.

What DISP is for

The Defence Industry Security Program (DISP) gives Australian businesses the security framework they need to do business with Defence. Membership signals that a supplier can appropriately handle Defence people, information and assets. For many Defence contracts and tenders, DISP membership is a precondition rather than a nice-to-have.

The four security domains

DISP organises requirements into four domains:

Governance — security leadership, policies, and a Chief Security Officer and Security Officer.
Personnel security — clearances, vetting and the management of access to classified material.
Physical security — securing the facilities and assets where Defence work happens.
Cyber security (ICT) — protecting the systems that store and process Defence information.

Membership levels

DISP offers an entry level plus three graded levels. Higher levels correspond to handling more sensitive information and assets, and bring more demanding controls and oversight. A business applies for the level appropriate to the work it intends to do; you do not need the highest level to participate.

Where backup fits

The cyber domain expects alignment with the ASD Essential Eight and the Information Security Manual. That brings the backup strategy squarely into scope: regular backups of important data and configurations, retained and restoration-tested, and isolated so they survive a compromise. For a supplier, "important data" includes the business records that keep you operating and contractually compliant. A disciplined, independent backup regime is part of demonstrating you can recover from an incident — not just resist one.

Getting ready

Most businesses begin by appointing security officers, documenting policies, and closing Essential Eight gaps — with MFA and backups being the quickest wins. Treat DISP as an operating posture, not a one-off form: it is assessed and maintained over time.

What DISP is for

The four security domains

Membership levels

Where backup fits

Getting ready

Frequently asked questions

Who needs DISP membership?

How does the Essential Eight relate to DISP?

Are backups part of DISP requirements?

The Essential Eight, explained for Australian small businesses

The ACSC Information Security Manual (ISM), explained for SMBs

ISO 27001 vs SOC 2: which security framework do you need?