DISP Membership: The 5 Things to Sort Out First

Your prime contractor just told you DISP is a requirement. Maybe it was in a tender. Maybe it came up on a call. Either way, you Googled it, found 40 pages of government PDFs, and now you need a plan.

Here are the 5 things to sort out first, in the order that matters. Most of these run in parallel, not one after another. But some deliver results faster than others, so start where the return is highest.

Before You Start: Two Things to Figure Out

Which DISP level do you need? There are four levels. Most first-timers need Entry or Level 1. Ask your prime: "What classification level will we be handling?"

DISP is more than just the Essential Eight. Everyone fixates on E8 ML2, but the program also covers governance, personnel security, physical security, and information security. The E8 is the biggest piece of work. But you'll fail the application if you show up with no Security Officer and no security plan.

All four levels require Essential Eight Maturity Level 2. That part doesn't change.

Here's what to tackle first.

1. MFA on Everything (Weeks 1-2)

This is the fastest win with the biggest impact. Turn on multi-factor authentication everywhere. Email, VPN, cloud apps, admin accounts.

ML2 requires phishing-resistant MFA for all users. That means FIDO2 security keys, passkeys, or Windows Hello for Business. Not SMS codes. Not authenticator app push notifications. Hardware keys cost about $50 each. If you're on Microsoft 365, Entra ID supports this out of the box.

Start with admin accounts (that's where attackers go first), then roll out to everyone. Budget around $50 per person. For a 30-person company, that's $1,500 in hardware. The fastest ROI security investment you'll make.

2. Admin Privilege Separation (Weeks 2-4)

This one is technically simple and culturally painful.

ML2 requires dedicated admin accounts that can't access email or browse the web. If your IT manager uses the same login for admin work and reading their inbox, that's a fail. Separate accounts. No exceptions.

People don't like having two logins. That's why you start this conversation early. It's not a technology change. It's a behaviour change. Expect pushback. Hold the line.

Monthly access reviews are required too. Who has admin access, and do they still need it? Put a recurring calendar reminder on it.

3. Patching Cadence (Weeks 2-4, Then Ongoing)

Internet-facing systems with known exploits must be patched within 48 hours. Everything else within two weeks. That's a real operational commitment.

If nobody's managing patches today, you need a process before you need a tool. Assign someone. Set a schedule. Track what's outstanding. Most SMEs already have the tools (Windows Update, WSUS, Intune). What they're missing is the discipline of checking regularly.

Unsupported software (anything that no longer receives security updates) needs to go. If you're running Windows Server 2012 or Office 2016, that's a finding on your assessment.

4. Governance Foundations (Weeks 1-4, Parallel)

While your IT team works on controls 1 through 3, you can handle this yourself. Four things:

Appoint a Security Officer. DISP requires one at every level. It doesn't have to be a new hire. Your ops manager, office manager, someone already on staff. But they need to be formally appointed with documented responsibilities.

Write a security plan. What you protect, how you protect it, who's responsible. Doesn't need to be 50 pages. Short and real beats long and ignored.

Set up an insider threat program. Awareness training and basic reporting procedures. This is a checkbox most SMEs miss entirely.

Document your incident response plan. Who to call (including Defence) when something goes wrong. If you discovered a breach right now, does your team know the first three steps? Write them down.

5. Application Control (Weeks 4-12+)

This is the control that stalls more DISP projects than any other. Application control means only approved software can run on your machines. Everything else gets blocked.

ML2 requires enforcement using WDAC or AppLocker on workstations and servers. Not just a policy that says "don't install random software." Technical enforcement that blocks unapproved executables from running.

Be honest about the timeline. Most SMEs need 2 to 3 months to get this right. You need to audit what's running across your fleet, build an allowlist, test it without breaking things, then enforce it. Rushing this step bricks machines.

Start the software audit now, even if enforcement comes later.

Where to Start Right Now

Take the DISP readiness scorecard. Twelve questions, five minutes, no email required. It tells you which of these 5 areas need the most work and whether you should be worried or just busy.

If you want someone to walk through your scorecard results, book a free scoping call. I'll tell you which gaps are dealbreakers and which ones can wait.