Maintaining membership

Defence Industry Security Program (DISP) membership needs to be established, maintained and reviewed at regular intervals. Once an entity has achieved membership, they need to maintain certain standards. DISP members submit annual self-assessments, and undergo checks and audits of their security.

Member responsibilities

DISP membership comes with ongoing responsibilities at every level. These are set out in the Defence Security Principles Framework (DSPF) - Principle 16 Control 16.1.

They include:

• The safeguard of Defence and industry’s people, information and assets.
• Appointing and retaining a Chief Security Officer (CSO) and Security Officer (SO).
• Reporting changes that may affect DISP membership, including:
  • eligibility and suitability changes

  • changes to ownership and control 

    Foreign ownership control and influence fact sheet (PDF, 644.62 KB)

  • changes in circumstances for security cleared personnel.
• Responding to and reporting any security incidents and suspicious contacts.
• Maintaining an accurate register of incidents and responses including:
  • security and fraud incidents
  • all contacts with foreign nationals, official and unofficial.
• Submitting an Annual Security Report every 12 months from the date of DISP membership.
• Keeping a register of overseas travel and travel briefings for security cleared staff.
• Regular security training of staff including induction training.
• Ongoing employment screening and suitability checks.
• Maintaining a classified document register if accessing information at SECRET level or higher.

• Maintaining a designated security assessed positions (DSAP) register where the entity is a sponsor of personnel security clearances. 

  Designated Security Assessed Positions (DSAP) Fact Sheet (PDF, 320.52 KB)

Annual Security Reports  

The SO must complete the Annual Security Reports (ASR) annually. It must be submitted within 10 business days of the anniversary of a member’s original membership grant date.

The SO is responsible for starting, editing and submitting to the CSO. The SO does not approve or declare any submissions.

The CSO is responsible for reviewing, declaring and submitting. The CSO does not start or edit any submissions.  The CSO and SO can be the same person, in this case, they are responsible for all roles, starting, editing, approving and declaring submissions.

Submit the ASR on the DISP Member Portal.

Change in Circumstance

Entities must report, as they arise, all changes that might have an impact on their membership.

The following Change in Circumstance are available for submission on the DISP Member Portal.

Entity details

Report changes to the entity's details such as:

• Office and postal addresses.
• DISP@ email address.
• Entity and business names.  
• Domains and capabilities the entity provides services or products for.  
• Any other company related info that may affect the entity’s membership.

Chief Security Officer and Security Officer 

Report changes to the entity’s nominated CSO and/or SO that accesses and uses the DISP. Members must notify DISP within 14 days of any changes to their nominated CSO or SO.

The new CSO and/or SO must meet eligibility and suitability requirements.  

If the entity is changing their CSO, the entity will need to upload a signed acknowledgment letter from the board as part of the change.  

The new CSO and/or SO will need to have completed the necessary security training and provide evidence as part of the change.

Contracts and panels

This includes:

• Any change to the entity’s contract(s) with Defence, including new contracts, extensions, changes and closure of contracts
• Changes to any new Defence panels the entity joins. 

Foreign Ownership Control and Influence

Making a change to the entity's Foreign Ownership Control and Influence status. This includes, but is not limited to:

• Foreign Directors
• Foreign Board members
• Foreign Shareholders
• Foreign revenue streams
• Agreements with foreign person(s)
• Foreign investments.

Physical and ICT  

This is for any new or changes to Defence certifications and/or accreditations on the entity's physical facilities or ICT networks.

Essential Eight Cyber

Any changes to the entity's cyber posture. The entity is obliged to report on compliance with the Essential Eight Mitigation Strategies. This includes, but is not limited to:

• implementation of restrict Microsoft Office macros, multi-factor authentication, user application hardening or regular backups
• changes between maturity levels
• major systems update
• changes to internal technical cyber policies and procedures
• new or a change to the existing Managed Service Provider.

Membership levels  

DISP members may apply to upgrade or downgrade membership levels as needed by contacting DISP.