Australia: New SOCI Critical Infrastructure Risk Management Program Rules now in effect

Hogan Lovells

Hogan Lovells

[co-author: Bonnie Liu]

The Security of Critical Infrastructure (Critical Infrastructure Risk Management Program Rules) (LIN 23/006) 2023 (CIRMP Rules) came into force on 17 February 2023. Responsible entities for certain critical infrastructure assets have six months to ensure they have a risk management program that adequately addresses all hazards, including in four key risk areas: cyber, personnel, supply chain and physical security.


The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 introduced amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) which included additional positive security obligations on responsible entities for certain critical infrastructure assets to maintain a Risk Management Program (RMP) that comply with the Risk Management Program Rules.

The final version of the Critical Infrastructure Risk Management Program Rules (being the CIRMP Rules) have now been registered following stakeholder consultation which closed late last year. Responsible entities for the classes of critical infrastructure specified in the CIRMP Rules must ensure they have a compliant risk management program in place by 17 August 2023 and implement appropriate cybersecurity systems and processes in line with industry standards by 17 August 2024.

Applicability of the new rules

The new CIRMP Rules apply to the following classes of critical infrastructure (amongst others):

Key SOCI obligations regarding risk management rules

Broadly speaking, responsible entities for the classes critical infrastructure assets mentioned above must have a risk management program that:

  • identifies each hazard where there is a ‘material risk’ that the occurrence of the hazard could have a ‘relevant impact’ on the asset (being an impact on the availability, integrity reliability, or confidentiality of the information about the asset);
  • so far as it is reasonably practicable to do so - minimise or eliminate any material risk of such a hazard occurring; and
  • so far as it is reasonably practicable to do so - mitigate the relevant impact of such a hazard on the asset.

(SOCI Act, section 30AA).

‘Material risk’ includes, but is not limited to the following:

  • a stoppage or major slowdown of the critical infrastructure asset’s function for an unmanageable period;
  • a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the critical infrastructure asset;
  • an interference with the critical infrastructure asset’s operational technology or information communication technology essential to the functioning of the asset;
  • the storage, transmission or processing of sensitive operational information outside Australia; and/or
  • remote access to operational control or operational monitoring systems of the critical infrastructure asset.

(CIRMP Rules, section 6).

Examples of risk mitigation processes include (but are not limited to) conducting background checks on key personnel, restricting physical access to critical infrastructure components to critical workers, implementing automatic patches and web/email content filtering within an organisation’s systems. The Australian Cyber Security Centre (ACSC) has published guidance on strategies to mitigate cyber security risks (available here) which may be of assistance to organisations seeking to develop their risk management programs.

Additionally, responsible entities must review the risk management plan on a regular basis, take all reasonable steps to ensure their risk management program is up to date and submit an annual report to the Department of Home Affairs/ACSC within 90 days after the end of each financial year in relation to the risk management plan. The first annual report is due 90 days after the end of FY 2024 (30 June 2024), although voluntary submission is encouraged for FY23.

Further, the risk management program must be signed off by the responsible entity’s board (or other governing body/council).

Cyber and information security hazards

The CIRMP Rules require responsible entities to establish and maintain a process of system in their risk management plans in relation to all hazards, which:

  • identifies the operational context and material risk to each critical infrastructure asset;
  • minimises or eliminates the material risks; and
  • mitigates the relevant impact of each hazard on the critical infrastructure asset.

Additionally, an entity’s risk management plan must address hazards from the following four categories: ­­­­­­

Importantly, in relation to cyber and information security, responsible entities are required to comply with a cybersecurity framework set out in the CIRMP Rules (or an equivalent framework) by 17 August 2024. The relevant cyber frameworks are:



Australian Standard AS ISO/IEC 27001:2015


Essential Eight Maturity Model published by the Australian Signals Directorate


Meet maturity level one as indicated in the Essential Eight Maturity Model, being a set of requirements to attain a level of cyber security that addresses risks arising from adversaries who are content to leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems.

Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America



Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America

Meet Maturity Indicator Level 1 as indicated in the document Cybersecurity Capability Maturity Model, being a set of requirements to attain a level of cybersecurity in which initial practices are performed.

The 2020‑21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327)

Meet Security Profile 1 as indicated in the document 2020-21 AESCSF Framework Core, being a set of requirements to attain a level of cyber-security that is appropriate for a participant with low criticality in the electricity sub-sector.

Further changes to cybersecurity laws on the horizon

On 27 February 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy Discussion Paper (Discussion Paper) for consultation. The consultation seeks the views of the public on how the Government can achieve its objectives under the 2023-2030 Australian Cyber Security Strategy which include:

  • increasing whole-of-nation cyber security efforts to protect Australians and the economy;

  • ensuring critical infrastructure and government systems are resilient and cyber-secure;

  • building sovereign capabilities to take cyber threats and manage emerging threats to the economy;

  • strengthening and expanding Australia’ international engagement capacity building efforts; and

  • growing and sustaining a national cyber workforce, focusing on education, skills and training.

Consultation on the Discussion Paper closes on 15 April 2023.

Next steps

Responsible entities of the relevant classes of critical infrastructure have a grace period of 6 months to ensure its risk management program adequately identifies all relevant hazards and proposed mitigation strategies (in particular, hazards from a cybersecurity, personnel, supply chain and physical security perspective). Responsible entities must also ensure that they have implemented appropriate cybersecurity systems and processes in line with industry standards such as ISO/IEC 27001:2015 (or equivalent) by 17 August 2024.

Additionally, entities should be aware of their ongoing legislative obligations to review, update, and report on their risk management plans, and to ensure that their risk management plans are signed off by the entity’s board (or other governing body/council).

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide