Supporting the development of Australian Defence industry. We help organisations comply with all applicable cyber security regulations, and win and maintain Defence industry contracts.
Many SMEs have capable people, good systems and strong intent, but they are not set up like large Defence primes. Security responsibilities may sit across directors, operations, HR, IT, facilities and external service providers.
That is where DISP can become difficult.
Cyvex works with executives and business owners who need more than generic advice. We help your team understand what must be done, why it matters, who owns it, what evidence is needed - and how to do it simply.
Applying for the wrong level can waste time, increase cost and create avoidable complexity.
We help you understand the likely membership level required across governance, personnel security, physical security and ICT/cyber security.
We also help identify which parts of your business, facilities, systems and workforce are in scope, and if only part is involved in Defence work, how to focus mainly on that part.
Before you invest in uplift, you need to know where you stand.
Cyvex assesses your current security maturity across the DISP domains and identifies the gaps most likely to delay, complicate or weaken an application.
We look at operating reality and work with you to address the gaps.
Cyvex is a team of security professionals. We work with your executives, internal IT staff or managed service providers to assess maturity, identify control weaknesses, improve evidence and support a stronger application position.
This may include Essential Eight alignment, access control, patching, backups, privileged account management, monitoring, incident response, cloud configuration and system scope.
Generic security documents often create more risk because they describe a business that does not actually exist.
Cyvex helps develop practical security documentation that reflects how your organisation operates. That includes clear responsibilities, governance arrangements, personnel security processes, facility controls, cyber controls, incident handling and ongoing reporting obligations.
DISP applications can stall when evidence is incomplete, scope is unclear, personnel responsibilities are not settled, cyber gaps remain unresolved, or the business cannot explain how its controls work.
Cyvex helps prepare your application material, review supporting evidence, brief key personnel and support the business through assessment activity.
DISP is not finished when membership is granted.
Your business needs to maintain policies, update records, manage personnel changes, keep security registers current, conduct reviews, manage incidents, support cleared personnel and remain ready for future assurance activity.
Cyvex can help establish a manageable compliance rhythm so your business remains compliant, resilient and ready to take on more work.
DISP sets up your business to handle classified information: how you store and transfer it digitally, and how you apply security controls so that digital protection matches what you would do physically. The result is a safe area to collaborate with Defence, and protection for your own intellectual property, which foreign and state actors may see real value in.
Think of DISP as a cyber security uplift - it helps you to ensure that you are not the weak link.
DISP requirements are structured across four security domains. Together, they provide the framework for protecting Defence information, assets and people.
Security governance establishes how an organisation manages its security responsibilities. It requires clear accountability, suitable policies and plans, trained personnel, effective incident management and oversight across all security domains. Organisations must also maintain the documentation and reporting needed to demonstrate both initial and ongoing compliance with DISP requirements.
Physical security protects people, facilities, property, information and physical assets from theft, damage, unauthorised access and other threats. The controls required depend on the classification and type of Defence information or assets held at the organisation's facilities. Measures may cover access control, secure areas, storage, handling and destruction.
Personnel security ensures employees, contractors and other personnel are suitable to access government information, systems and assets. This includes workforce screening, suitability checks, security awareness and ensuring personnel demonstrate the required levels of integrity, competence and trustworthiness. DISP members are expected to align their screening practices with AS 4811:2022.
Information and cyber security protects Defence Official Information held or processed within an organisation's systems. DISP members must implement appropriate technical and procedural controls across the ICT systems used to engage with Defence. This includes demonstrating alignment with the Australian Signals Directorate's Essential Eight at Maturity Level 2.
DISP has four membership levels within each security domain, set by the sensitivity of the information you handle. Select a level to see what it covers.
Routine government information, including material that may require limited handling controls.
Sensitive information that could cause damage if disclosed without authorisation.
Highly sensitive information that could cause serious damage to national interests if disclosed.
The most sensitive information, where unauthorised disclosure could cause exceptionally serious damage to national security.
You are likely to need DISP if you work with Defence and handle classified data, work with munitions, provide security services, or are required by a contract to hold membership. It gives Defence a clear view of who they work with and how secure those suppliers really are.
To be eligible for DISP membership, your organisation must:
Subcontractors are your responsibility. You are the responsible entity. You must control who has access to what data across your supply chain, and you must monitor it. We help you decide how far up the supply chain to look, and where your points of compromise are.
The Defence threat is different from ransomware and ordinary criminal tradecraft. It is about quiet, subtle, state-sponsored attempts to exfiltrate data. You are operating in a more opaque space, against actors with significant budgets and resources who may be eager to get what you have.
We help you reach Maturity Level 2 in a minimum-viable, sensible way, so you invest wisely rather than over-build. We support the culture change, help you build the business case, and can substantiate the cost of DISP membership for your bidding and estimation. Where it helps, we act as your Virtual Security Officer.
DISP is a Defence membership and accreditation process. It is better understood as an assessment of whether your organisation can meet Defence security obligations at the level required for the work you want to perform.
Not always. It depends on the contract, information classification, access requirements and role in the supply chain. However, many Defence-facing opportunities increasingly expect suppliers to understand and meet DISP requirements.
No. Cyber is important, but DISP also covers governance, personnel security and physical security. A technically secure system will not fix weak accountability, poor staff screening or inadequate facility controls.
Your IT provider may be able to help with technical controls, but DISP readiness usually requires broader security governance, evidence management, executive ownership and Defence-specific interpretation. Cyvex can work with your IT provider rather than replace them.
It depends on your current maturity, target level, facilities, systems, personnel, evidence quality and remediation effort. A business with strong controls and records may move faster. A business starting from informal practices should expect a more substantial uplift.
Start with scope. Before spending money on tools or documentation, clarify what Defence work you are pursuing, what information you will handle, which people and systems are in scope, and what membership level is likely to be required.
DISP membership is no longer something SMEs can leave until the tender is live, the prime asks for evidence, or your team requires access to classified information. By then, the business is usually under pressure, the gaps are harder to fix, and the application becomes a distraction from delivery.
Cyvex helps you prepare for DISP membership with practical advisory, cyber security uplift and executive-level guidance across governance, personnel, physical and cyber security.
Partner with us early in the tendering process so that your DISP membership is ready to support you in developing sovereign Defence manufacturing or services capability.