IRAP is not a condition of DISP membership. To join the Defence supply chain the ICT baseline is the Essential Eight at Maturity Level 2 on your corporate systems. IRAP applies at the system level, when a specific cloud or SaaS system stores or processes classified Defence information against the Information Security Manual.
Does selling to Defence require an IRAP assessment?
Not to get in the door. The requirement most people reach for is DISP membership, and the ICT bar DISP sets is the Essential Eight at Maturity Level 2 on the corporate systems you use to deal with Defence. IRAP sits somewhere else. It is a system level assessment against the Information Security Manual, and it applies when a particular system holds classified Defence data, not when your company joins the supply chain.
The two get blurred constantly. A DISP membership is about your organisation. An IRAP assessment is about one system.
What is DISP and when is it mandatory?
The Defence Industry Security Program is how an Australian business is cleared to handle Defence information and assets. Defence runs it under the Defence Security Principles Framework, Principle 16, Control 16.1. Membership is mandatory for entities that work on classified information or assets at PROTECTED and above, that supply, maintain, store or transport weapons or explosive ordnance, that provide security services for Defence bases or facilities, or where a Defence contract makes it a condition.
Two exceptions apply: when the classified work is done only inside Defence facilities or on Defence networks, or when the entity is recognised under a Security of Information Agreement. To be eligible you must be registered as an Australian legal entity with an ABN, be financially solvent, nominate a Chief Security Officer and a Security Officer, and complete a Foreign Ownership, Control or Influence declaration. An overseas entity cannot be a member.
Membership is the entity’s licence to operate in the Defence supply chain. It is not a tick on any single system.
What are the four DISP security domains?
DISP membership runs across four domains: security governance, personnel security, physical security, and ICT and cyber security. You self nominate a level in each, and the governance level always equals the highest level you hold in any of the other three. You only ever hold one DISP membership, whatever the number of contracts behind it.
| Domain | What it covers | The bar |
|---|---|---|
| Security governance | Accountability, plans, security culture, incident reporting | Always equals your highest other domain |
| Personnel security | Staff and contractor suitability and screening | AS 4811:2022 screening; clearances through AGSVA |
| Physical security | Protecting people, sites and assets | Zone requirements scaled to the classification handled |
| ICT and cyber security | Securing the systems you use to deal with Defence | Essential Eight Maturity Level 2 |
The governance rule catches people out. Apply for SECRET on the ICT side and your governance domain has to meet SECRET too.
What does DISP require for ICT and cyber security?
The Essential Eight at Maturity Level 2, across the ICT corporate systems you use to correspond with Defence. That is the written requirement on the DISP eligibility page, and it applies from Entry level upward. If you already hold another security standard, Defence lets you use that documentation to demonstrate in part how you meet the Essential Eight, not to replace it.
Here is the part worth being clear about. Maturity Level 2 is a floor, and it is not the same as compliance with the ISM. The Essential Eight is a targeted subset of the ISM, eight mitigation strategies, not the hundreds of controls the ISM carries across governance, personnel, physical and technical security. Reaching ML2 gets you through the DISP ICT domain. It does not make a system fit to hold PROTECTED Defence data.
Where does IRAP fit in for Defence work?
At the system, not the company. When a particular cloud or SaaS system stores, processes or communicates classified Defence information, the ISM is the standard that system is built and assessed against. IRAP is the independent route for that assessment, performed by an ASD endorsed assessor, and what it produces is a report and a control matrix, not a pass mark.
For PROTECTED and above held in commercial cloud, the same ISM logic that governs the rest of government applies to the system, and a Defence authorising officer makes the risk based decision to operate. The corporate laptops and email you run to ML2 for DISP are a different thing from a system that hosts Defence workloads. Classification is set by the data, not by you, which is why where the information sits on the OFFICIAL to SECRET scale decides how far the obligations reach. The same split holds for any SaaS or cloud provider carrying government data.
DISP gets you to the table. IRAP is what a specific system needs once Defence data lands on it.
Do you need both DISP and IRAP?
Often, yes, and for different reasons. DISP says your organisation is eligible, governed and screened to handle Defence information. IRAP says one system is built to the ISM. A provider selling a PROTECTED cloud or SaaS product to Defence can need DISP membership at the right level and an IRAP assessment of the system it is selling. One is about who you are. The other is about what you are running.
| DISP | IRAP | |
|---|---|---|
| What it covers | Your organisation | A specific system |
| Governing framework | DSPF Principle 16, Control 16.1 | The Information Security Manual |
| Who decides | Department of Defence | ASD endorsed assessor reports; a Defence authorising officer decides |
| The ICT bar | Essential Eight Maturity Level 2 | The full applicable ISM control set |
| Output | Membership at a level | An assessment report and control matrix |
| Tied to | Your business | The data the system holds |
Neither stands in for the other. And a hyperscaler’s own IRAP assessment stops at its infrastructure. Your configuration, application logic and data handling sit above that line and are a separate scope.
Frequently asked questions
No. The DISP ICT and cyber security domain is set at the Essential Eight Maturity Level 2 on the corporate systems you use to deal with Defence. IRAP applies at the system level, when a specific system holds classified Defence information against the ISM.
No. Only an Australian registered entity with an ABN can be a DISP member. A foreign entity can work on Australian classified contracts only under a Security of Information Agreement, with its clearances verified government to government.
Maturity Level 2, across the ICT corporate systems used to correspond with Defence. It applies from Entry level upward, and another security standard can demonstrate it only in part.
No. A hyperscaler’s IRAP assessment covers its own infrastructure. Your configuration, application logic and data handling are assessed as a separate scope.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Defence Industry Security Program, Department of Defence, 2026
- DISP eligibility and suitability, Department of Defence, 2026
- Defence Security Principles Framework, Department of Defence, 2026
- Essential Eight Maturity Model, ASD, 2026
- Using the Information Security Manual, ASD, 2026
- Protective Security Policy Framework, 2024
Last updated: 21 June, 2026