Disclaimer: The information contained in this article is general in nature and does not constitute legal advice. Readers are encouraged to obtain legal advice that applies to their particular circumstances.
Why SOCI Matters to Boards and Executives
For Australia’s infrastructure leaders, the Security of Critical Infrastructure Act 2018 (SOCI Act) has shifted from an “IT compliance task” to a core governance priority. Whether you lead a local council, a private utility, or a major hospital, the goal of the SOCI framework is simple: uplifting the security and resilience of the assets that underpin our economy and way of life.
Disruptions to these essential services, whether from a cyberattack, a natural disaster, or a supply chain failure, can have devastating impacts on community safety and national security. For the Board or Council, SOCI compliance isn’t just about avoiding regulatory penalties; it’s about having the confidence that material risks are identified, managed, and mitigated across the entire organisation.
The SOCI Act in Plain English
The SOCI Act is the legislative framework that sets security obligations for specific “critical infrastructure assets”. If your organisation owns or operates one of these assets, you likely have three primary responsibilities:
- Registering Assets: Providing details about the asset and who has control over it to the Register of Critical Infrastructure Assets.
- Risk Management Program (CIRMP): Developing and maintaining a written program to manage “material risks” across four key hazard vectors.
- Annual Reporting: Submitting an annual report, approved by your governing body, that attests to the effectiveness and currency of your risk program.
In some cases, if an asset is declared a System of National Significance (SoNS), it may be subject to enhanced cybersecurity obligations.
Does SOCI Apply to Your Organisation?
Determining your status is the first step in the roadmap. The Act defines two main types of “reporting entities”:
- Responsible Entities: Usually the entity that holds the license or is primarily responsible for the asset’s operation (e.g., the water utility or the port operator).
- Direct Interest Holders: Entities that hold (together with associates) an interest of at least 10% in the asset or are in a position to directly or indirectly control it.
Common Asset Classes Requiring a CIRMP
The requirement to have a Critical Infrastructure Risk Management Program (CIRMP) currently applies to the following sectors and asset classes :
| Sector | Asset Classes Subject to CIRMP |
| Communications | Broadcasting, Domain Name Systems, Telecommunications* |
| Energy | Electricity, Energy Market Operators, Gas, Liquid Fuels |
| Transport | Freight Infrastructure (Intermodal facilities), Freight Services |
| Water | Water and Sewerage |
| Financial Services | Payment Systems |
| Food & Grocery | Critical Supermarkets and Wholesalers |
| Health | Designated Hospitals |
| Data Storage | Data Storage or Processing Assets |
*Note: Telecommunications assets follow the specific TSRMP Rules.
Your Implementable Roadmap
If you are a responsible entity, use this staged approach to ensure your organisation meets its obligations.
Step 1: Confirm Obligations and Governance
Owner: CEO / General Counsel | Effort: 1–2 Weeks | Output: Obligation Register
- Identify Assets: Review the SOCI definitions to confirm which of your assets are captured.
- Map Stakeholders: Identify your “responsible entity” status and any “direct interest holders”.
- Check for SoNS: Determine if you have received notification that your asset is a System of National Significance.
Step 2: Build or Uplift Your CIRMP
Owner: CISO / Head of Security | Effort: 2–6 Weeks | Output: All-Hazards CIRMP Document Your CIRMP must identify “material risks” that could cause a “relevant impact” (impacting availability, integrity, or reliability). It must address four mandatory hazard vectors :
- Cyber and Information Security: Managing risks like phishing, malware, and credential harvesting. Entities must adopt a recognised cyber framework (e.g., NIST, AESCSF, or Essential Eight).
- Personnel / Trusted Insider: Identifying critical workers who have access to critical components and ensuring they are suitable (e.g., through background checks).
- Supply Chain: Identifying major suppliers and managing risks of disruption or unauthorised access via the supply chain.
- Physical and Natural: Protecting physical critical components from unauthorised access and natural hazards like floods or bushfires.
Step 3: Annual Report and Board Assurance
Owner: The Board / Governing Body | Effort: 4–8 Weeks | Output: Signed Annual Report
- Governing Body Approval: The Board or Council must approve the CIRMP and sign off on the annual report.
- Submission Window: The annual report must be submitted to the relevant regulator within 90 days of the end of the financial year (typically by 28 September).
- Content: The report details whether the program was effective, any variations made, and whether any significant incidents occurred.
Step 4: Build an Assurance Cadence
Owner: Risk / BCM Leaders | Effort: Ongoing | Output: Audit-Ready Evidence Folder
- Regular Review: You must review your CIRMP at least every 12 months to ensure it remains current.
- Incident Response: Regularly test your response and recovery playbooks through exercises.
Timeframes and What to do if You’re Behind
The “grace periods” for initial CIRMP adoption have passed for most existing assets.
- August 2023: Entities were required to have their process or system in place.
- August 2024: Entities were required to implement their chosen cybersecurity framework.
If you are just starting, don’t panic, but act urgently. The regulator (CISC) has the power to issue directions to remedy “seriously deficient” programs that pose a material risk to national security.
Common Mistakes to Avoid
- The “Paper Tiger”: Treating the CIRMP as a static document rather than an active operating model.
- Cyber-Only Focus: Neglecting the personnel, supply chain, and physical hazard requirements.
- Missing Critical Workers: Failing to name or properly identify the individuals with access to critical components.
- Weak Evidence: Not maintaining the “attestation evidence” needed to prove to the Board that controls are actually working.
How Agilient Helps
Agilient is your vendor-neutral partner in navigating the complexities of SOCI Act compliance. We help you move beyond “checking boxes” to building true organisational resilience.
- Obligation Assessments: Determining exactly which assets are captured and what your reporting status is.
- CIRMP Design & Uplift: Building an all-hazards program that integrates seamlessly with your existing ISO 31000 or BCP frameworks.
- Hazard Risk Assessments: Specialist deep-dives into insider risk, supply chain vulnerabilities, and physical security.
- Board Reporting Packs: Preparing the data and narratives your governing body needs to sign off with confidence.
- Audit Preparation: Ensuring your program stands up to regulatory scrutiny and “Review and Remedy” directions.
SOCI Act FAQs
Q: Do we have to submit our full CIRMP to the government?
A: No. You are required to submit an Annual Report that attests to the program’s effectiveness, but you do not need to submit the full program unless the regulator requests it for a compliance audit.
Q: What is a “material risk”?
A: A risk that could result in a stoppage or major slowdown of the asset, a loss of access to critical components, or interference with the technology essential to the asset’s function.
Q: Is the AusCheck background checking service mandatory?
A: No. Using AusCheck is optional. You may use other suitable background-checking schemes, as long as you can demonstrate that your personnel risks are being managed appropriately.
Q: How often must the Board review the program?
A: At a minimum, the CIRMP must be reviewed every 12 months to ensure it is current and effective.
Q: What happens if we miss the annual reporting deadline?
A: The SOCI Act does not allow for extensions. If you report outside the 90-day window, the CISC will likely contact you to determine if compliance action is necessary.
Q: Does SOCI apply to assets outside of Australia?
A: Generally, assets must be located in Australia. However, some exceptions apply, such as certain satellite-based facilities or submarine cables in Australian waters.