Defence-Ready

The seven gaps we find in every defence readiness audit

Defence Practice·May 2026·8 min read

We have run defence-ready audits for AU and NZ businesses across mining, construction, technology and professional services. The same seven gaps appear every time — and every one of them is closeable before your procurement deadline. Here is the list, the evidence each gap demands, and the order to fix them in.

Why the same gaps keep appearing

Defence procurement questionnaires are written for prime contractors with dedicated security teams. Most Australian defence subcontractors entering the supply chain — including the engineering and fabrication businesses clustering around WA's Henderson precinct — are mid-sized firms, strong at their core work but not set up for the documentation, access controls and evidence trails a defence customer expects to see before awarding work.

The gaps are not failures of intent. They are failures of translation. The standards exist — Essential Eight, DISP, ISO 27001 — and the requirements are public. What is missing is the operational knowledge to map what you already do to what the procurement team needs to see in writing. A structured defence-ready audit exists to do exactly that translation: score where you stand, evidence what already works and scope what remains. Every gap below is one you can close before a tender closes — if you know it is there.

Gap 1: Data sovereignty is assumed, not demonstrated

Most businesses know where their critical data lives. Very few can demonstrate it with an evidence trail — and in defence procurement, an undemonstrated control scores the same as a missing one. AUKUS supply chain customers want a documented data-flow map, verified storage locations and a plain statement of whether any data transits or is processed offshore. "Our cloud provider has an Australian region" is an assumption; an evidence pack is a demonstration.

Fix: build a one-page data-flow diagram covering your critical operational data. Name every system, every storage location and every third-party processor. Flag any offshore exposure explicitly — a declared exposure with a mitigation plan reads far better than silence. This single document closes one of the most heavily weighted questions on the assessment and signals to the buyer that you understand sovereignty as an engineering problem, not a checkbox.

Gap 2: Access controls are not documented

Role-based access control is common. Documented, auditable, regularly reviewed role-based access control is not — and it is the documented version that maps to the Essential Eight's restriction of administrative privileges. Defence customers want evidence that access is granted on a need-to-know basis, reviewed on a schedule and revoked promptly when staff leave. The control failing silently for one departed contractor is exactly the scenario the questionnaire is probing for.

Fix: export the current user-access list from every business-critical system. Record the review date and the approval chain for each grant. Then run the test we apply in every audit: if you cannot produce that evidence in under 1 hour, your access-control posture has a gap — not in the control itself, but in your ability to prove it, which is what the procurement decision turns on.

Gaps 3 to 5: Supply chain, AI risk and incident response

Supply chain and SBOM gaps appear when a business cannot account for the software components inside its products or services. If you ship anything built on open-source libraries, third-party APIs or cloud services — and almost everyone does — you need a component inventory and a working process for tracking known vulnerabilities against it. Buyers assessing AUKUS-ready suppliers increasingly ask for the SBOM up front, because your software supply chain becomes theirs the moment you are onboarded.

An AI risk register is now expected from any business using AI tools internally or in client-facing systems. Auditors want to see that you have identified which AI systems you use, what data they process and what controls govern their use. The register should sit alongside a written AI usage policy — if you do not have one, AI policy generation produces a defensible, framework-mapped draft in days rather than the months a manual drafting exercise takes.

Incident response is the gap that surprises most businesses. Having a plan is not enough. Defence customers want evidence the plan has been tested in the last 12 months, that staff have been trained on it and that contact lists are current. A dated tabletop-exercise record is worth more in an assessment than a 40-page plan nobody has rehearsed.

Gaps 6 and 7: Monitoring evidence and personnel screening

Continuous monitoring is not just a technical control — it is an evidence-generation discipline. Your SIEM or log management system needs to produce reports that demonstrate active oversight, not passive collection. Auditors want to see that alerts are triaged, reviewed and acted on, with a record of who did what and when. Logs that nobody reads fail the assessment as surely as logs that do not exist.

Personnel screening alignment is the final common gap. Requirements vary by programme and clearance level, but most businesses cannot produce a clear record of which roles require what level of screening, who has been screened and when each screening lapses. For Australian defence subcontractors this is often the longest lead-time item — screening queues are measured in months, so the register needs to exist before the contract does. Our guide to subcontractor compliance covers how these obligations flow down from primes and what evidence each tier is expected to hold.

Closing the gaps in 30 days

None of these gaps require a multi-year remediation programme. They require structured effort, clear ownership and documentation discipline. We have closed all seven inside a four-week engagement with businesses that started with no security framework at all — the work is bounded, and the deliverables are concrete: a scored report, a gap analysis and an evidence pack you can put in front of a procurement team.

The sequence matters. Start with data sovereignty and access controls — they underpin everything else and carry the most assessment weight. Then run supply chain, AI risk and incident response in parallel; each has a different owner, so they do not block one another. Monitoring evidence and personnel screening come last and are largely documentation tasks once the underlying controls exist.

If your procurement deadline is under 30 days, focus on the first two gaps and produce a credible remediation roadmap for the rest. Defence buyers award work to suppliers who evidence where they are and show a governed path to where they need to be. A scored report with a dated plan beats an incomplete submission claiming full compliance — every time.

Request a Defence-Ready Audit

A four-week structured audit against Essential Eight and defence supply chain requirements. You get a scored report, gap analysis and evidence pack — ready for your next tender. No retainer required.

Request an audit
Explore Defence-Ready Audits