Maintain Compliance, Improve Resilience.

Security of Critical Infrastructure (SOCI) Act

Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in 2021 and 2022 to more appropriately capture those assets that are critical to Australia’s defence, national security, economic and social stability. The amendments also responded to the deteriorating threat environment related to cyber-attacks.

What is the legislation change in Australia?

The Security legislation Amendment (Critical Infrastructure Protection) Act 2022 came into effect 2nd April 2022, building on the original security of Critical Infrastructure Act 2018. With a compliance date of 17th of August 2024.

The Amendment introduces the following key measures.

  1. A New obligation for responsible Entities to create and maintain a critical infrastructure Risk management Program.
  2. A new framework for enhanced cyber security for operators of systems of national significance
  3. The expansion of the legislation to cover 11 sectors up from the original 4 – something Rod will talk a little more about later.

The amendment sends a clear message to responsible entities of critical infrastructure assets that risk management must be prioritized to form part of the entities core business activities.

Who is impacted?

The SOCI Act previously only applied to 4 sectors: Electricity, Gas, Water and Maritime Ports.

This has now changed from 4 industry sectors to 11. The government has identified 11 critical infrastructure sectors that will be covered by the amended act, namely:

  • Banking and finance
  • Communications
  • Data and processing
  • Defence industry assets
  • Education, research, and innovation
  • Energy
  • Food and grocery
  • Health
  • Space
  • Transport (including ports, public transport, aviation, freight)
  • Water and sewerage

What does this mean to your organisation?

Under the Act, responsible entities for critical infrastructure assets have an obligation to maintain a register of critical infrastructure assets, develop and implement a Critical Infrastructure Risk Management Plan (CIRMP), notify external data service providers if their store or process business critical data and must report cyber security incidents that have a significant or relevant impact on their assets.

The CIRMP is intended to uplift core security practices that relate to the management of critical infrastructure assets, ensuring that responsible entities take a holistic and proactive approach toward identifying, preventing and mitigating risks. The requirements of the CIRMP are to:

  • Identify material risks
  • Minimise risks to prevent incidents
  • Mitigate the impact of realised incidents
  • Implement effective risk management governance

The CIRMP needs to address the following four (4) hazard vectors:

  • Physical and natural security
  • Cyber security
  • Personnel security
  • Supply chain security

How can OpsCentre help?

We work with responsible entities across multiple industry sectors to help:

  • Scope and implement a CIRMP
  • Undertake Risk Assessments of critical infrastructure assets
  • Understand personnel risks and the associated background screening requirements
  • Develop risk mitigation and minimisation strategies and plans
  • Ensure CIRMP currency, compliance and governance
  • Implement and monitor CIRMP KPI’s, metrics and reporting

SOCI-compliance aside, a CIRMP provides peace of mind that your critical assets are protected and that your organisation has the appropriate mechanisms in place to protect them. 

Partnership Announcement
OpsCentre is Partnering with Sterling to Support Business Resilience in Australia