Security of Critical Infrastructure

SOCI obligations at a glance

The Security of Critical Infrastructure Act 2018 (SOCI Act) provides a framework for managing and protecting critical infrastructure.

The SOCI Act applies to 11 critical infrastructure sectors and 22 critical infrastructure asset classes.

Key requirements under the SOCI Act:

Register of Critical Infrastructure Assets
Obligation to notify data service providers
Mandatory cyber security reporting
Enhanced cyber security obligations for Systems of National Significance (SoNS)
Critical Infrastructure Risk Management Program.

Critical Infrastructure Risk Management Programs

The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 (CIRMP Rules) detail the mandatory baseline security standards for CIRMP and provide further details about hazards to be considered for the responsible entities of 13 critical infrastructure asset classes:

a critical broadcasting asset
a critical domain name system
a critical data storage or processing asset
a critical electricity asset
a critical energy market operator asset
a critical gas asset
a designated hospital
a critical food and grocery asset
a critical freight infrastructure asset
a critical freight services asset
a critical liquid fuel asset
a critical payment system
a critical water asset.

To work out whether or not you fall within any of these asset classes, you will need to review the definitions in the SOCI Act as well as the Security of Critical Infrastructure (Definitions) Rules 2021.

Key CIRMP components:

Security Risk Management
Governance and CIRMP lifecycle
Cyber and information security
Personnel security
Physical security
Supply chain security
Natural hazards

Key Dates

18 August 2023

30 June - 28 Sep 2024

17 August 2024

18 August 2024

Commencement of Critical Infrastructure Risk Management Program obligations

(all but cyber)

First Board-approved annual report due to the regulator (must be submitted within 90 days after the end of the financial year)

Annual review of the CIRMP to ensure it is up to date (update or variation if required)

Commencement of the cyber security component of the CIRMP Rules against a recognised framework (ISO27001, AESCSF, NIST, E8) or equivalent

How we can help achieving compliance with the SOCI Act and CIRMP Rules?

Providence has a deep knowledge of critical infrastructure reforms and offers extensive proficiency across relevant disciplines: security and risk management, personnel, physical and supply chain security. We collaborate with like-minded partners that deliver cyber security solutions.

We provide integrated and advice and solutions tailored to your operating context and resources to enable resilience and business continuity of your enterprise.

Providence offers the following services:

Brief your Board on Directors’ SOCI governance obligations
All-in-one SOCI-ready package for new and in-development critical infrastructure assets
Establishment of a Critical Infrastructure Risk Management Program (CIRMP)
Annual CIRMP evaluation, review and security maturity pathway
CIRMP assurance in preparation for the Board-approved annual report
Tailored insider threat and workforce assurance.

Interested in learning more?

Register to download a detailed briefing on ‘Security of Critical Infrastructure’

To learn more, or to discuss the next steps to meet your SOCI obligations and identify benefits that stem from meeting those obligations, fill out the form below and our team will be in touch.