Defence Industry Security Program (DISP) maintains an active assurance and uplift program. The assurance program ensures DISP members meet and maintain their security responsibilities commensurate to their DISP membership requirements.
DISP members are required to maintain their membership as outlined under control 16.1 of the Defence Security Principles Framework (DSPF), as well as the broader security requirements of the DSPF and Protective Security Policy Framework. DISP members are also required to engage with assurance and uplift activities conducted by DISP and implement recommendations within mutually agreed timeframes.
DISB assurance activities support members to:
- Understand and meet DISP membership obligations, and broader Defence security requirements.
- Review security practices within their organisation.
- Make recommendations to uplift and improve their security posture.
- Identify improvements in their security control framework.
- Access security advice and information, including on cyber security.
- Access exclusive information and analysis.
- Better understand their security risks and vulnerabilities.
- Improve security tools and processes.
- Give confidence to Defence and other Australian and foreign Government entities when supplying services.
DISP aims to collaborate with members in the assurance process to continually review and improve security practices across Defence industry in order to safeguard Australia’s interests.
DISP members are expected to proactively engage with assurance activities with the objective of reviewing and improving security practices across the DISP membership base. The implementation of recommendations within mutually agreed timeframes is a requirement under DISP membership, and will be monitored and supported by the DISB audit team.
DISB assurance activities start at the point of application and continue throughout membership.
Entry Level Assessment
Entry Level Assessment is a security governance assessment conducted as part of the DISP application process to ensure an entity meets the requirements of the DISP membership levels requested. Any identified gaps are required to be addressed prior to DISP membership being granted.
Ongoing Suitability Assessment
An Ongoing Suitability Assessment (OSA) is a desktop audit to ensure that members are continuing to meet Defence security obligations. OSA selection is an outcome of an internal risk-based framework, and will assess DISP member’s compliance with a selection of security requirements across all 4 DISP security domains. The OSA process includes a review of security documentation, a phone interview with security staff and the completion of a cyber questionnaire.
This activity assists DISP members to review, and where needed, improve their security policies, procedures, and risk management.
Cyber questionnaire
Throughout the membership life-cycle, DISP require members to complete a cyber questionnaire.
During the DISP application stage, an entities ICT system's cyber maturity is assessed. This includes identifying risks and gaps. After the assessment guidance to improve cyber security is provided.&
To meet DISP membership requirements, an entity must also comply with the Australian Government Information Security Manual.
Deep dive audit
The objective of a deep dive audit (DDA) is to ascertain the extent of DISP members’ compliance with requirements of DSPF control 16.1 through a detailed assessment (including site visits) of the adequacy of Defence security processes and controls in place, and if needed help to uplift an entities security posture. DISP members are selected for inclusion in a DDA based on an internal risk-based selection framework.
The DISP approach to DDAs is one of collaboration. All identified security uplift activities or opportunities for improvement are discussed, and a draft report for review and comment is provided prior to being finalised. The implementation of all DDA recommendations is monitored by the DISP audit team.
What to expect during an Audit Fact Sheet (PDF, 1.02 MB)
DISP Audit Fact Sheet (PDF, 172.92 KB)
Annual Security Report
An Annual Security Report (ASR) is a self-attestation, completed by DISP members, of compliance with security obligations under DSPF which is due on the anniversary of the DISP membership certificate. An ASR is required to be tabled with the entity’s Board or Executive (or other equivalent Governance forum) prior to submission to DISP, to ensure that appropriate Executive oversight and action is taken in response to any security issues identified.
DISP members may be required to provide additional information to DISP regarding the ASR responses provided.