DISP Accreditation Support

Microsoft 365 and information security for defence industry contractors

The Defence Industry Security Program (DISP) sets clear requirements for how defence contractors manage information, protect systems and govern access to sensitive material. Meeting those requirements demands more than good intentions; it requires a correctly configured Microsoft 365 environment, appropriate information management practices, documented policies, and ongoing security controls.

Evocate helps Australian defence industry businesses implement the Microsoft 365 configuration and governance practices needed to achieve and maintain DISP membership, and to operate within the requirements of defence contracts.


DISP and Microsoft 365

Most defence contractors use Microsoft 365 as their primary productivity and communication platform. DISP requirements directly affect how that environment must be configured.

Information Security Controls

DISP requires contractors to implement appropriate controls to protect Official and sensitive information. In Microsoft 365, this translates to specific requirements around:

  • Sensitivity labels and classification: implementing the Australian Government information classification scheme (Official, Protected etc.) within Microsoft Purview, ensuring documents and emails are appropriately labelled
  • Access controls and identity: MFA enforcement, conditional access policies, privileged identity management, and regular access reviews via Azure AD/Entra ID
  • External sharing restrictions: governing how information can be shared outside the organisation via SharePoint, OneDrive and Teams
  • Device management: Intune-based device compliance policies ensuring only managed, compliant devices access sensitive information
  • Audit and monitoring: Microsoft Purview audit logging to provide the visibility DISP governance requires

Information Management

DISP requires contractors to manage defence information appropriately, including appropriate storage, access controls, version management and disposal.

We help contractors implement SharePoint-based information management systems that meet these requirements, with appropriate site structures, permission models, retention policies and disposal frameworks.

Security Incident Response

DISP requires contractors to have documented security incident response capabilities. We help businesses implement Microsoft Defender for Business or Defender for Endpoint, configure Microsoft Sentinel for security monitoring where appropriate, and document incident response procedures.


Evocate’s DISP Accelerator

We offer a structured DISP Readiness engagement that assesses your current Microsoft 365 environment against DISP requirements, identifies gaps, and implements the required controls, providing the evidence needed for DISP membership application and ongoing compliance.

This includes:

  • DISP gap assessment against Microsoft 365 and information management requirements
  • Essential Eight assessment within your Microsoft 365 and Windows environment
  • Remediation of identified gaps
  • Documentation of controls for DISP submission
  • Ongoing Microsoft 365 security management if required


Our Adelaide and Canberra Presence

Evocate has offices in both Adelaide and Canberra, the two cities with the highest concentration of Australian defence industry contractors. Our teams in both cities have direct experience with the defence industry operating environment.

Adelaide office → | Canberra office →

Industry Challenges

  • Security classification and handling
  • Defence accreditation requirements
  • Secure collaboration with allies

How Evocate Helps

  • Microsoft 365 GCC High equivalent deployments
  • Purview for data loss prevention
  • Secure SharePoint environments

Featured Case Study

View case study

Talk to an Expert

Contact Us
Basslink
Linx Cargo Care
Melbourne Airport
Mazda
Rinnai
Linfox
Penske
Sigma Healthcare
DJPR
EPA Victoria
Hostplus
University of South Australia
MACG
AIDA
Vinnies
VMCH
EACH
Cohealth
MyHealth
Asteria
Elbit Systems

One conversation. The whole Microsoft platform.

Tell us what you are working on and we will map the right next step, whether that is consulting, licensing, managed services, or all three.

Contact Us

Send us a message

Tell us about your project or question. We will get back to you within one business day.

Your information is only used to respond to your enquiry. We never share your data.

Frequently Asked Questions

DISP does not prescribe a specific Microsoft 365 configuration checklist, but the requirements around information protection, access controls, monitoring and incident response translate into specific Microsoft 365 settings. Our DISP Readiness engagement maps DISP requirements to the specific Microsoft 365 controls needed to meet them.
For most defence contractors, Microsoft 365 Business Premium or E3 with appropriate add-ons provides sufficient capability. E5 or the Microsoft 365 E5 Security add-on provides additional tools for organisations with higher security requirements. We advise on the right licence tier for your specific DISP requirements.
We can help you implement the technical controls and documentation required for DISP membership. We are not a security consultancy and do not provide DISP legal or regulatory advice, but we work alongside your DISP sponsor and security adviser to ensure the technical environment meets the requirements.
Most DISP readiness engagements take 4-8 weeks depending on the current state of your Microsoft 365 environment and the complexity of your organisation. This includes assessment, remediation, and documentation phases.