Understanding the Difference Between DISP and the Security of Critical Infrastructure Act

Australia’s national security framework includes multiple overlapping regimes. Two of the most important are:

• The Defence Industry Security Program (DISP)

• The Security of Critical Infrastructure Act 2018 (SOCI Act)

While both are designed to enhance the security and resilience of Australia’s assets, they serve different purposes, target different sectors, and are managed by different government agencies.

This page breaks down the distinctions, compliance requirements, and how they can work together to strengthen your organisation’s security posture.

What is DISP?

DISP is administered by the Department of Defence and applies specifically to organisations working on or supporting Defence contracts. Its purpose is to ensure contractors meet high standards in:

• Security Governance

• Personnel Security

• Physical Security

• Information and Cyber Security

DISP accreditation is voluntary, but in practice, it is frequently required for Defence-related projects and often built into tender or subcontracting conditions.

Read: What is DISP →

What is the SOCI Act?

The Security of Critical Infrastructure Act 2018 (SOCI Act) is managed by the Department of Home Affairs and applies to businesses operating in Australia’s critical infrastructure sectors, including:

• Energy

• Water

• Ports

• Communications

• Data storage and processing

• Space, transport, healthcare, food and grocery, education

The SOCI Act imposes mandatory obligations related to risk management, incident reporting, and access control for assets deemed nationally significant. It is legislated, and non-compliance can result in regulatory enforcement.