What Is a Security Management Plan?

corporate security disp security governance security management plan smp Jul 08, 2026

What Is a Security Management Plan?

A Security Management Plan (SMP) is the foundational governance document of an organisation's security program. It defines how security will be managed β€” the framework, the accountabilities, the policies, and the procedures that give a security program its structure.

For DISP-accredited organisations, the SMP is a mandatory document. For other organisations, it is the single most effective tool for converting a collection of security measures into a coherent, governable program.


Why the SMP Exists

Security measures without governance are just a list of things. A guard at the door. A camera system. An access control card. These individual elements have value, but without a governing framework that defines how they fit together, who is responsible for them, and how they are maintained and reviewed, they are not a program.

An SMP provides that framework. It is the document that answers the question: how does security actually work here?

For organisations with regulatory or contractual security obligations β€” DISP members, critical infrastructure operators, government contractors β€” the SMP is also the evidence that security is being managed in a structured, accountable way. It is what an auditor reviews. It is what a government agency assesses. It is what provides defensibility if something goes wrong.


What an SMP Must Contain

The content of an SMP varies with the nature of the organisation and the regulatory framework it operates within. For DISP members, the Defence Industry Security Office (DISO) prescribes the structure and content requirements. For other organisations, the SMP should be designed around the organisation's actual security risk environment and the frameworks that apply to it.

At a minimum, a well-structured SMP covers:

Scope and purpose. What does this plan cover? Which facilities, which operations, which personnel? What is its purpose and what regulatory or contractual obligations does it address?

Security governance. Who is responsible for security at each level of the organisation? The Security Officer role, the accountabilities of leadership, the responsibilities of staff, and the escalation pathways for security matters.

Risk framework. How does the organisation assess and manage security risk? The methodology, the risk register, and the process for reviewing and updating the risk picture.

Physical security. The physical security measures in place β€” perimeter, access control, surveillance, alarm systems β€” and the standards they are designed to meet.

Personnel security. Pre-employment screening requirements, clearance management (where applicable), onboarding and offboarding procedures, and the ongoing personnel security obligations for staff.

Information security. How classified, sensitive, or commercially valuable information is handled, stored, transmitted, and disposed of. ICT security controls and their relationship to the overall information security posture.

Incident management. How security incidents are identified, reported, managed, and reviewed. Notification obligations to regulatory authorities where relevant.

Security awareness and training. How security awareness is maintained across the organisation β€” induction training, ongoing awareness programs, and specific training for personnel with elevated security responsibilities.

Review and continuous improvement. How the SMP itself is reviewed and updated β€” the review cycle, the trigger events for out-of-cycle review, and the approval process for changes.


The DISP SMP Requirement

For organisations seeking or maintaining DISP accreditation, the SMP is not optional and not generic. DISO assesses the SMP as part of the accreditation process and during subsequent audits.

The DISP SMP must address the four DISP security domains β€” governance, physical security, personnel security, and ICT security β€” at the level appropriate to the tier of accreditation sought. An SMP written for Tier 1 accreditation looks different from one written for Tier 3.

Common SMP failures in DISP applications:

  • Generic templates that have not been tailored to the organisation's actual circumstances
  • Security measures described that are not actually in place
  • Governance structures that name roles without defining accountabilities
  • Risk registers that are static snapshots rather than living documents
  • No clear review or update process

An SMP that does not reflect the actual security posture of the organisation is a liability, not an asset. If an audit finds a gap between what the SMP says and what the organisation actually does, the consequences extend beyond the audit finding.


Maintaining the SMP

An SMP is not a document written once and filed. It is a living document that must reflect the actual security posture of the organisation at all times.

Trigger events for SMP review and update include:

  • Change in the organisation's physical environment β€” new facilities, relocations, fit-outs
  • Change in the workforce β€” significant growth, restructuring, changes in cleared personnel
  • Change in the regulatory environment β€” new or updated DISO guidance, changes to applicable legislation
  • A security incident or near miss
  • A change in the threat environment relevant to the organisation
  • The scheduled review date defined in the SMP itself

For most organisations, an annual review of the SMP β€” with out-of-cycle updates triggered by the events above β€” is the minimum appropriate standard.


Empire Protection β€” SMP Development and Review

Empire Protection develops Security Management Plans for DISP-accredited organisations and non-DISP corporate clients. Our SMPs are built around the organisation's actual security posture β€” not generic templates β€” and are designed to withstand audit scrutiny.

We also provide SMP review and gap assessment services for organisations whose existing SMP needs to be updated, strengthened, or realigned with current regulatory requirements.

Contact Empire Protection


Empire Protection β€” Demand Excellence in everything we do. Sydney, Australia | empireprotection.global

The Right People, The Right Methods, The Right Results.
In everything we do,Β Empire ProtectionΒ Demands Excellence.