salam@localhost · ~/salamkhan.au
mel aest
← back to blog
2026-05-25

I asked the wrong question about the SOCI Act.

I thought one company sat in one SOCI sector. I had it wrong. The Act scopes each asset a company runs, not the company, so one hospital can sit in two sectors at once. Here's how I found out.

In the last few weeks I've been studying the Security of Critical Infrastructure Act 2018. I thought one Responsible Entity, which is just a company, sits in one sector (in my mind I had a clean 1:1 mapping). A power company in energy, a bank in financial services, a hospital in health care. I had it wrong.

I wrote about what SOCI is and how it works in an earlier post: the law, the eleven sectors, and who carries the program. What I got wrong is more specific. It's how you work out which sectors a company is actually in.

It scopes the asset, not the company

The SOCI Act doesn't put a company in a sector. It puts each asset a company operates in a sector, and only if that asset crosses a threshold under the Security of Critical Infrastructure (Definitions) Rules 2021 (LIN 21/039 if you want the proper instrument name).

There are 22 named asset classes across the eleven sectors. Each one has its own definition and its own threshold: a critical electricity asset, a critical data storage or processing asset, a critical hospital, and so on. An asset is in scope only when it meets the definition for its class.

So the thing you're scoping is the asset, not the company. You don't ask which sector the company is in. You go through the company's list of assets and test each one against the definition for its class. The ones that cross the threshold are in scope.

The threshold does real work here. It's the filter. A small clinic's server cupboard doesn't make the cut. The class definition sets a bar for scale and significance, and only assets above that bar are in scope. That's why it tends to be the big hospitals and the large data centres, not every building with a computer in it.

A hospital can be in two sectors at once

Here's an actual example. A hospital is a hospital, so it sits in the health care sector for its clinical work. But some of the big Australian hospitals also run a sizeable data centre. If that data centre meets the threshold for a critical data storage or processing asset under the Definitions Rules, it also falls within the data storage or processing sector.

Same legal entity, two sectors, two Critical Infrastructure Risk Management Program (CIRMP) obligations under section 30AC of the Act, one for the clinical side and one for the data centre, both carried by the same Group CISO.

The same goes for universities. A university is in higher education and research. But a research data store at the right scale lands it in data storage or processing at the same time. One institution, two sectors, two programs.

One Responsible Entity, two in-scope assets in two different SOCI sectors, each triggering its own CIRMP obligation under section 30AC, both carried by the Group CISO.

One company, two assets, two sectors. The hospital is in health care for its clinical work and in data storage or processing for its data centre. Two CIRMP obligations, one Group CISO. Generated by Author using Claude.

How I worked it out

I worked this out the hard and slow way, by trying to code the scoping logic into a little rule engine. Mostly I wanted to test whether I actually understood the Rules or just thought I did :).

I'd hardcoded the first question as "What sector are we in?" That was the top of the decision tree. Pick the sector, then narrow down from there. Then I fed it the asset list of a real Australian hospital. It came back with two sectors. The engine was right. My question was wrong :).

Writing the rules down in code is the quickest way I've found to test whether I really understand them. This kind of scoping logic is part of what I'm building toward at cirmpai.au.

The question to ask instead

So the question to ask at the start isn't "what sector are we in" at all. It's "what assets do we operate, and which of those cross a threshold under the Definitions Rules?"

Change that opening question, and the whole scoping conversation after it looks different. You stop sorting the company into one box. You work through the asset register, test each item against its class definition, and count the obligations that come out the other end. For a single hospital or a single university, that count can be more than one. The class definitions and thresholds live in the Definitions Rules and the CISC guidance, so that's where the testing has to happen, asset by asset.

One more thing I had to get straight. Two different sets of rules do two different jobs. The Definitions Rules 2021 tell you whether an asset is in scope. The CIRMP Rules 2023 (LIN 23/006) tell you what the program for that asset then has to contain. Scoping is only the first step, but if you get it wrong, you can miss a whole program you were meant to be running.

. . .

Have you been through this?

Has anyone in my Aussie network been through CIRMP scoping, either inside a regulated entity or advising one? How did you handle a company that landed in more than one sector? I'd love to chat. Thanks.

tags
#SOCI#CIRMP#Critical Infrastructure#Cybersecurity#GRC