SOCI Critical Infrastructure Risk Management Program (CIRMP) – What Do You Need to Do to Comply?

SOCI Critical Infrastructure Risk Management Program (CIRMP). What is it and what are its Rules?

The Critical Infrastructure Risk Management Program (CIRMP) states that entities responsible for Critical Infrastructure Assets (CIAs) must implement a Critical Infrastructure Risk Management Program by 17 August 2023.

These Rules form part of the requirements for entities governed by the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). A summary of all the requirements to be met under the SOCI Act is available here.

Responsible entities with CIAs in any of the 13 sectors listed below must be able to show the risk methodology and operational context for their CIRMP and maintain a system which demonstrates how they address four different types of hazards.

Responsible entities must comply with one of the following frameworks by 17 August 2024:

All information will then need to be compiled into an annual report to be submitted to the Secretary of the Department of Home Affairs by the end of the 2023-24 financial year.

Which sectors do the CIRMP Rules apply?

CIAs from two of the 15 sectors (namely ‘defence’ and ‘space technology’) which are covered under the SOCI Act are not covered by these Rules.

The CIRMP Rules do apply to the following types of CIAs:

  • broadcasting assets
  • domain name systems
  • data storage or processing assets
  • electricity assets
  • energy market operator assets
  • gas assets
  • designated hospitals (specific hospitals are listed in the Rules)
  • food and grocery assets
  • freight infrastructure assets
  • freight services assets
  • liquid fuel assets
  • financial market infrastructure assets mentioned in paragraph 12D(1)(i) of the Act, and/or
  • water assets. 

Exemptions may apply for responsible entities which hold strategic level hosting certifications issued by the Commonwealth.

What must Responsible entities do to meet the CIRMP Rules?

Responsible entities holding relevant CIAs are required to develop, maintain and update their CIRMP. 

The CIRMP must document how a Responsible entity does the following:

  1. Identifies hazards where a material risk arises which may impact the availability, reliability, integrity or confidentiality of an entity’s CIA, and
  2. Reasonably minimises and mitigates the material risk and hazards. 

The CIRMP must cover the following four types of hazards:

  1. Cyber and information security hazards – establish and maintain a system that minimises material risks of a cyber and information security hazard occurring and seeks to mitigate the impact if an event occurs.
  2. Personnel hazards – establish and maintain a system that identifies critical workers, permits critical workers authorised access to critical components, minimise material risks arising from malicious or negligent personnel, as well as offboarding processes.
  3. Supply chain hazards – establish and maintain a system that minimises unauthorised access to supply chain, misuse of privileged access, disruption of supply chain assets and mitigating threats to the products, services and personnel within supply chains.
  4. Physical security and natural hazards – establish and maintain a system that identifies the physical critical assets, incorporate an incident response plan to mitigate the impact of unauthorised access, restrict access and test security procedures to protect physical assets.   

As part of their CIRMP, responsible entities must also describe:

  • The operational context of their CIA(s);
  • Interdependencies between their CIA(s) and other CIA(s);
  • Who is responsible for developing, implementing, reviewing and updating their CIRMP; 
  • How the CIRMP will be developed, implemented, reviewed and updated; and
  • Outline any risk management frameworks and methodologies used. 

Once the CIRMP has been developed, it must be signed off by the Responsible entity’s executive body and have actions in place to regularly review and update the CIRMP if required.

The CIRMP must document how a Responsible entity does the following: 1. Identifies hazards where a material risk arises which may impact the availability, reliability, integrity or confidentiality of an entity’s CIA, and

2. Reasonably minimises and mitigates the material risk and hazards.
The CIRMP must cover the following types of hazards: 1. Cyber and information security hazards – Establish and maintain a system that minimises material risks of a cyber and information security hazard occurring and seeks to mitigate the impact if an event occurs.

2. Personnel hazards – Establish and maintain a system that identifies critical workers, permits critical workers authorised access to critical components, minimise material risks arising from malicious or negligent personnel, as well as offboarding processes.

3. Supply chain hazards – Establish and maintain a system that minimises unauthorised access to supply chain, misuse of privileged access, disruption of supply chain assets and mitigating threats to the products, services and personnel within supply chains.

4. Physical security and natural hazards – establish and maintain a system that identifies the physical critical assets, incorporate an incident response plan to mitigate the impact of unauthorised access, restrict access and test security procedures to protect physical assets.
As part of their CIRMP, Responsible entities must also describe: 1. The operational context of their CIA(s);

2. Interdependencies between their CIA(s) and other CIA(s);

3. Who is responsible for developing, implementing, reviewing and updating their CIRMP;

4. How the CIRMP will be developed, implemented, reviewed and updated;

5. Outline any risk management frameworks and methodologies used.

Once the CIRMP has been developed, it must be signed off by the Responsible entity’s executive body and have actions in place to regularly review and update the CIRMP if required.

When do responsible entities need to comply with the new CIRMP rules by?

Initial Start Up

Responsible entities with the relevant CIAs must comply with the new CIRMP Rules by 17 August 2023. This is awarded as a 6-month grace period from the initial commencement of the Rules on 17 February 2023.

Annual Report

The required annual report must be compiled in an approved format and submitted to the Secretary of the Department of Home Affairs within 90 days after 30 June 2024 (end of 2023-24 financial year). However, if possible, the Cyber and Infrastructure Security Centre (CISC) recommends that Responsible entities voluntarily submit an annual report for the 2022-23 financial year.

For Responsible entities that operate payment systems and have CIAs related to the financial services and markets sector, annual reports are to be submitted to the Reserve Bank of Australia.

Security certification(s)

Once Responsible entities become compliant with the CIRMP Rules by 17 August 2023, they have an additional 12 months until 17 August 2024 to demonstrate their CIRMP aligns with the below cyber frameworks or equivalent:

  • Australian Standard AS ISO/IEC 27001:2015
  • Essential Eight Maturity Model published by the Australian Signals Directorate
  • Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America
  • Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America
  • The 2020‑21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327)

Next steps for CIRMP Requirements

Responsible entities for CIAs should start updating their processes to meet the CIRMP requirements as soon as possible.

As the CISC has stated they intend to continue proactively engaging with critical infrastructure providers in relation to the SOCI Act, we can expect additional rules and guidance to be developed over the coming years.

Contact our Senior Consultant Samuel Wall about how Sekuro can help your company implement its obligations under the CIRMP Rules and the SOCI Act.

Samuel Wall

Senior Consultant, Sekuro

Sam Wall is a Senior Consultant specialising in privacy, governance, risk and compliance for Sekuro. He recently finished working as a Visiting Fellow at the Australian National University, researching developments in governance of artificial intelligence, intellectual property, international trade and national security. He previously spent seven years working in regional legal and policy counsel roles for the film and music industries across 14 countries in the Asia-Pacific. He has primarily worked with clients in the telecommunications, logistics, tech, government and education sectors.

Mia Symonds

Analyst, Sekuro

Mia currently holds the role of Analyst and has experience across a diverse range of industries, organisational sizes, and maturity levels in the Information Technology (IT), critical infrastructure, and legal sectors. She participates in initiatives as a representative of the Governance, Risk and Compliance (GRC) sector, by providing businesses with GRC guidance and interpretation of information security standards, risks and best practices. Throughout her time at Sekuro, Mia has gained a wide range of experience in operations, security, delivery, and consulting.

Martin Hossain

Associate Analyst, Sekuro

Martin Hossain is a recent Law and Security Studies graduate and has joined Sekuro in 2023. As an associate analyst, he is currently working within the GRC spectrum to ensure organisations align themselves with the relevant ISMS certifications. He is also a part of the IMS Compliance team, ensuring Sekuro's internal processes related to information systems are up to date and privacy obligations are being adhered to.

Scroll to Top