DISP membership for small business: what the Defence Industry Security Program actually requires

Most small businesses meet the Defence Industry Security Program the same way they meet every compliance regime: a clause in a tender document. Somewhere in the conditions sits "DISP membership at Entry Level or above", and a business that has never thought about security classifications is suddenly reading the Defence Security Principles Framework. This guide covers what DISP actually is, what each membership level requires, what the cyber bar is set at — and, because most of what is written about DISP comes from consultancies selling uplift services, an honest view of what it costs and when it is worth it.

What DISP is, and who has to join

DISP is the Department of Defence's security membership program for industry, established under the Defence Security Principles Framework (DSPF), Principle 16, Control 16.1. Its job is to give Defence assurance that the businesses in its supply chain handle people, premises, systems and information to a defined security standard.

Membership is mandatory if your business works on classified information or assets (PROTECTED and above), supplies, maintains, stores or transports weapons or explosive ordnance, provides security services for Defence bases, or holds a contract that names DISP as a condition — which, in practice, is how most small suppliers encounter it. Outside those cases it is optional but recommended for anyone seeking Defence work.

Two facts worth stating plainly, because the consultancy marketing around DISP tends to blur them. First, membership itself is free — Defence charges no fee. The costs are in implementing and maintaining the required controls. Second, DISP membership does not win you contracts; it makes you eligible to bid for the ones that require it.

The 4 security domains and 4 membership levels

DISP assesses an entity across 4 security domains: security governance, personnel security, physical security, and ICT and cyber security. Membership comes in 4 levels, each aligned to an Australian Government security classification — Entry Level (OFFICIAL and OFFICIAL: Sensitive), Level 1 (PROTECTED), Level 2 (SECRET) and Level 3 (TOP SECRET) — and you nominate the level you need per domain when applying. Most small businesses entering the supply chain need Entry Level: it covers unclassified-but-sensitive Defence material, and it is the level a first contract typically demands. One limitation to know: Entry Level members cannot sponsor security clearances.

Eligibility is broader than most owners expect. Any Australian entity can apply — the baseline criteria are an ABN or ACN, financial solvency, a director or senior executive able to hold a security clearance and act as Chief Security Officer, a staff member to act as Security Officer (the same person can hold both roles), and a Foreign Ownership, Control or Influence (FOCI) declaration covering foreign directors, shareholders, revenue and agreements.

The application is not a form-and-forget exercise. The Entry Level Assessment includes a review of your security documentation, a phone interview with your security officers, and a Cyber Security Questionnaire — and identified gaps must be addressed before membership is granted. Once in, Defence runs ongoing desktop audits (Ongoing Suitability Assessments) against all 4 domains, and implementing their recommendations is a condition of staying a member.

The cyber requirement: Essential Eight at Maturity Level 2

Here is the section that decides whether DISP is a quarter's work or a year's. Defence's requirement is explicit: entities must meet or exceed the ASD Essential Eight at Maturity Level 2 across the corporate ICT systems used to correspond with Defence. This is current and recently hardened — Defence's transitional assessments against only the "top 4" of the Essential Eight concluded on 15 November 2025, and all DISP members are now required to maintain the full eight at Maturity Level 2.

For a 10-person business, this is genuinely demanding — more demanding than anything else we write about on this site. The Essential Eight at Maturity Level 2 assumes centrally managed devices, real patching discipline with deadlines, application control, and restricted administrative privileges — an IT-managed environment, not a collection of laptops with good intentions.

And a boundary worth calling out for anyone who has read our SMB1001 guide: SMB1001 does not appear anywhere in DISP's requirements. Defence's guidance allows some international standards to demonstrate compliance in part — ISO/IEC 27001:2022, NIST SP 800-171, Def Stan 05-138 — and even those only count partially. The certification standard actually sized for small businesses is not on the list at all. Where Defence names the Essential Eight, no certificate substitutes for it. E8 at Maturity Level 2 is the price of entry.

What it actually costs

Defence charges nothing; the controls are the cost, and they vary enormously with your starting point. A business already running managed devices with an IT provider has a gap analysis and some hardening ahead of it. A business of owner-purchased laptops and personal email accounts is looking at a genuine IT rebuild. Consultancies in this space quote widely — one dedicated DISP consultancy puts the total cost of achieving baseline membership for an SME at $30,000 to $100,000 depending on starting maturity. Treat that as a vendor's framing of the worst case, not a Defence fee schedule — but treat it seriously, because the Essential Eight at Maturity Level 2 is not achievable with DNS records and good habits alone.

That makes the real question commercial, not technical: is the Defence contract pipeline worth a security program of that scale? For some businesses — machining, logistics, software, specialist services near a Defence precinct — clearly yes, and DISP membership then doubles as a security upgrade the rest of the business benefits from. This is also the one place on this site where "hire help" is frequently the honest answer: DISP uplift is squarely the kind of work cybersecurity consultancies are correctly built for, and the regulated-path exception we describe in our pillar applies in full.

Before you commit: check where you stand

Two checks cost nothing and sharpen the decision. First, read the ACSC's Essential Eight maturity model yourself before any consultant explains it to you — it is free, public, and shorter than the proposals you will receive. Second, get your public-facing posture in order first: the 4 basics every small business needs — website configuration, email authentication, backups, phishing awareness — are assumed background by the time anyone is assessing you against Maturity Level 2, and gaps there will surface in the Cyber Security Questionnaire's earliest pages.

Our scan covers that public-facing slice — DNS, email authentication, certificates, headers — which is evidence for the questionnaire, not a path to ML2. We are not a DISP consultancy and do not do Essential Eight uplift; where customers need that work, we refer to partners and take no fee, per our partner & referral disclosures.