If you work with government, or want to, you’ve probably discovered that “good cyber security” is no longer enough as a general promise. Increasingly, you need to show structured, evidence-backed assurance that your organisation can protect sensitive information, manage risk, and meet specific contractual security obligations.
That’s where programs like DISP and Right Fit for Risk (RFFR) come in.
They are not the same thing. They do not apply to the same organisations. And if you misunderstand the difference, you can waste a lot of time building the wrong compliance response.
Here’s the plain-English version.
The Defence Industry Security Program (DISP) is the Australian Government’s security program for businesses working with Defence. It is designed to help Australian entities understand and meet their security obligations when engaging in Defence tenders, contracts and projects. Defence describes DISP as a multi-level, membership-based program that gives Defence greater confidence in the security capability of participating organisations.
DISP membership is structured across four membership levels (Entry Level, Level 1, Level 2 and Level 3), which align with Australian Government security classifications. When applying, an organisation selects the level it needs in each of the four security domains, depending on its contract requirements and the nature of the work.
Importantly, DISP is not a one-off application. Members have ongoing responsibilities, including maintaining standards, submitting annual self-assessments and undergoing checks and audits. Defence also states that DISP members are required to achieve and maintain Essential Eight Maturity Level 2.
Right Fit for Risk (RFFR) is not a Defence program. It is the Department of Employment and Workplace Relations’ cyber security accreditation approach for contracted providers and certain external IT systems interacting with the Department’s systems. The Department uses its own assurance approach to assess and accredit providers and relevant external systems.
RFFR is built around an Information Security Management System (ISMS). The Department’s process requires providers and vendors to complete three accreditation milestones: scope and context, design, and implementation. The exact accreditation path varies depending on the provider type, risk profile and deed requirements.
The Department is also very clear that, in this context, your ISMS must be designed and implemented in accordance with ISO 27001 to meet legal, regulatory and contractual obligations, including RFFR requirements. It also says that independent certification provides assurance that those requirements are being met.
The simplest way to think about it is this:
DISP is about becoming and remaining a Defence-recognised member under a structured security program. RFFR is about proving that your information security management system is appropriate for the risks associated with delivering services or systems to that Department.
They’re both about cyber assurance, but they sit in different ecosystems, with different accreditors, different processes and different operational expectations.
This is where a lot of organisations get confused.
ISO 27001 is not the same as DISP. It is not the same as RFFR. But it is highly relevant to both.
For RFFR, DEWR explicitly says your ISMS must be designed and implemented in accordance with ISO 27001, and that independent certification provides assurance to the Department.
For DISP, ISO 27001 is not described by Defence as the DISP program itself, but in practice many organisations use ISO 27001 as a strong foundation for building the kind of structured, risk-based security management system that supports DISP readiness and ongoing security maturity.
So if you are asking, “Do we need ISO 27001 or DISP or RFFR?” the answer is often: ISO 27001 may be part of the answer, but it does not replace the program-specific requirements.
Again: important, but not interchangeable.
Defence states that DISP members must achieve and maintain Essential Eight Maturity Level 2. That means Essential Eight is not just a nice-to-have uplift activity for DISP members. It is part of the ongoing security expectation.
Essential Eight, however, is not the whole story. It is a cyber mitigation baseline, not a full management system. It helps strengthen technical and operational controls, but it does not replace the broader governance, documentation, accountability and assurance requirements that come with DISP membership or an RFFR-aligned ISMS.
That is why organisations often need all three pieces working together:
If you are pursuing or supporting Defence contracts, start by understanding whether DISP is required or strongly expected in your part of the supply chain. Defence says eligibility and suitability can include having a specific DISP membership level as a requirement of a current or upcoming Defence contract or project.
If you are delivering services or systems into the Department of Employment and Workplace Relations environment, then RFFR is the relevant accreditation model to understand.
And if you are operating across government or regulated ecosystems more broadly, the safest assumption is that you will need a compliance approach that is more structured than a handful of policies and a spreadsheet.
One of the biggest mistakes government contractors make is treating DISP or RFFR as submission exercises.
They are not.
Both point to something bigger: the need for a living, defensible, well-maintained security program. If your policies are static, your evidence is scattered, your ownership is unclear and your controls only get attention when a tender drops, you are going to feel the pain sooner or later.
This is exactly where organisations get stuck:
That is not sustainable.
A stronger approach is to build one connected system that lets you:
That is how compliance stops being a scramble and starts becoming an operating rhythm.
If you are a government contractor, the question is not whether cyber assurance matters. It is which model applies to your environment, and whether your current system is strong enough to support it.
DISP and Right Fit for Risk are different.
ISO 27001 and Essential Eight are related, but not substitutes.
The organisations that do this well are the ones that treat security governance as a living system, not a last-minute response to procurement pressure.
That is the real difference between being technically capable and being contract-ready.