salam@localhost · ~/salamkhan.au
mel aest
← back to blog
2026-05-04

I have never called myself a Cybersecurity person. But I keep coming back to it.

Australia's SOCI Act covers eleven sectors that keep this country running, and CIRMP is the regime that lands on every Group CISO who runs one of them. I have been reading about this for a while now, and here is what is in it.

What I keep coming back to

I have never called myself a Cybersecurity person. But I've been around cyber for years, in one form or another (starting at the end of my uni days back in 2006, when I did an internship in networking and in understanding how to physically secure network assets :)). Side projects involvement here and there, ISC2 chapters before bed, many CompTIA tabs open in my browser, and long conversations with mates who work deep in the IT and OT cyberspace.

I have also been around it at 9T5 for years (something that Liaqat Fayyaz has been beautifully running and managing while I have been focused on my day job and agile delivery consulting gigs). 9T5's teams conducted the security audit for Infomo back in 2023, CISA and OWASP aligned, across Australia, Singapore, and India. They have been on Germonizer's defence-adjacent build in Singapore since, in life sciences, with encrypted workflows and tokenised access. Not my code, not my deliverables. Theirs. Sitting close to the work has shown me how often a security question hides inside an architecture decision.

In my chats with my security expert mates lately, we keep coming back to the same thing. The rise of AI and large language models has opened the doors to more sophisticated cyberthreats. Especially for any country's critical infrastructure. That is what made me start studying the Security of Critical Infrastructure Act 2018. And the more I read, the more I keep landing on CIRMP.

This piece is what I have learned so far. What SOCI is, what CIRMP asks of the companies that fall under it, who carries it, and why this matters for Australia right now.

SOCI and CIRMP at a glance, rendered as a Terminal Ops panel. The panel header reads salamkhan.au ~ critical infrastructure / soci and cirmp at a glance, with the subtitle the regime that protects the systems australia cannot lose. Three boxes across the top: The Law (SOCI Act 2018, the Security of Critical Infrastructure Act, protects the Australian systems we cannot afford to lose, covers 11 critical sectors across the country); The Program (CIRMP, Critical Infrastructure Risk Management Program, identify, manage, report material risks every year, four hazard domains, board-approved evidence pack); Accountability (s. 30AC, the named accountable executive, Group CISO carries it, Board approves it, CEO signs it, CISC verifies it under Home Affairs). Below the boxes, a label reads THE 4 HAZARD DOMAINS, with four hazard cards: 01 Cyber and Information, 02 Personnel, 03 Supply Chain, 04 Physical and Natural. Footer command line reads dollar sign dot slash not-a-cybersecurity-person by salam, with version one and sources legislation.gov.au and cisc.gov.au.

A one-page map of the regime. SOCI is the law. CIRMP is the program inside the law. The four hazard domains are what every operator must defend against. Section 30AC names the executive who carries it. Generated by Author using Claude.

SOCI. The law, plain.

The Security of Critical Infrastructure Act 2018 is the Australian Commonwealth law that protects the systems this country cannot afford to lose. It started as a narrower piece of legislation in 2018, then was significantly expanded in 2021 and 2022 through the Critical Infrastructure Security Legislation Amendment Acts. The 2021 amendments broadened the definition of critical infrastructure dramatically. The 2022 amendments added the risk management program obligations that became CIRMP.

What it does in plain terms: the Act says some sectors are too important to leave to ordinary commercial protection. Operators in those sectors must register their assets, must take cyber and physical risk seriously, and must answer to the regulator. That regulator is the Cyber and Infrastructure Security Centre, or CISC, which sits inside the Department of Home Affairs.

The eleven critical infrastructure sectors

After the amendments, the Act covers eleven sectors:

Communications. Telecoms networks, internet service providers, and the broadcasting infrastructure that carries the news.

Data storage or processing. The cloud and data centres your government, banks, and hospitals sit on top of.

Defence industry. Manufacturers and service providers supplying the Australian Defence Force.

Energy. Electricity grids, gas pipelines, and liquid fuel supply chains.

Financial services and markets. Banks, payment systems, the ASX, superannuation.

Food and grocery. Supermarkets, wholesalers, and the supply chains that stock them.

Health care and medical. Public and private hospitals, blood and organ supply, pharmaceuticals.

Higher education and research. Universities and major research institutions.

Space technology. Satellites, ground stations, launch facilities.

Transport. Aviation, maritime ports, rail, freight, and public transport networks.

Water and sewerage. Drinking water systems and wastewater treatment.

Read that list slowly. Almost every part of daily Australian life touches one of those sectors before lunchtime.

. . .

CIRMP. The program inside the law.

If SOCI is the law, CIRMP is the program the law requires. The full name is Critical Infrastructure Risk Management Program, and it lives in the CIRMP Rules made under section 30AH of the SOCI Act in 2023.

What CIRMP asks an operator to do is, on paper, simple. Identify the material risks to the asset. Manage them through documented controls. Report on what is being done each year, in writing, in a board-approved evidence pack. Maintain that program continuously, not just at audit time.

The Rules organise risk into four buckets. They call them hazard domains.

The four hazard domains

Cyber and Information Security. The digital attack surface. Networks, applications, data, and the AI systems that increasingly sit on top of all three.

Personnel. The people inside the organisation. Who has access, who has been vetted, who can do harm by accident or by intent.

Supply Chain. The third parties that touch the operator's systems and data. Vendors, contractors, software dependencies, and everyone further down the chain.

Physical and Natural. Buildings, fences, generators, fire suppression, and the natural disasters that have become harder to predict.

Each hazard has its own set of expectations under the Rules, mapped to existing frameworks where possible (the Information Security Manual for cyber, for example). The point is not to invent new controls. It is to make sure the operator has done the work, in writing, across all four domains, every year.

The annual evidence pack is the artefact. It is what gets handed to the board, signed off by the Chief Executive, and submitted to CISC. In most regulated companies I have heard about, putting it together costs six figures a year in external consultancy time.

Section 30AC. Who carries it.

The interesting clause sits at section 30AC of the SOCI Act. It says the company that owns the critical asset must designate one of its officers to be accountable for the CIRMP. In practice, that officer is the Group Chief Information Security Officer, or Group CISO.

That single named person carries the program. The Group CISO does not write every control or run every audit, but they are the executive named on the page. They are accountable to the board, which approves the program annually before it is submitted. They are accountable to the regulator, which can audit the program and the company.

The Cyber and Infrastructure Security Centre sits at the other end of the relationship. CISC is the regulator inside Home Affairs. It is the body that receives the CIRMP submissions, runs compliance reviews, issues guidance, and holds the enforcement powers under the Act.

The structure is clear. Board approves. CEO signs. Group CISO carries. CISC verifies. Year after year, on a rolling annual cycle, across every company in the eleven sectors above.

Where I am, and what I would love to learn from you.

I have been at this for the last two weeks, full focus. CIRMP rules. ISM and Annex E. The Voluntary AI Safety Standard where it touches OT. What the regulators are saying. The big consultancy reports on what companies keep getting wrong. Picking my mates' brains in IT and OT whenever they will let me. Trying to understand the problem before I form an opinion on the fix.

What I am noticing is that the regime is sound, the obligations are clear, and the gap between what is required and what is delivered is wide. Six-figure consultancy spends every year. Manual evidence assembly. Group CISOs holding a program they did not design, under a regime that keeps expanding. AI threats accelerating faster than the controls.

I reckon there is a better way to make this work, and I have started prototyping toward it. But that is for another post.

Here is what I would love your input on.

If you have run a CIRMP submission inside a regulated company, what surprised you the first time? What is the hardest part to get right, and the part that consultants charge the most for that you wish you had known earlier?

If you sit as a Group CISO under section 30AC, what does the regime feel like from the inside? Is the concentration of accountability sustainable as the obligations keep expanding, or is it quietly broken?

If you work at CISC, or in the policy layer above it, where is the regime heading next? What is the 2026 amendment most operators do not yet see coming?

If you study cyber as I am, who is writing the most useful material in this space right now, and which conferences should I be at? I am stuck in the official documents and the consultancy reports, and I know there is sharper thinking out there.

Drop a comment, or reach out to me directly. I would rather start learning from you now than later.

P.S. If you want to start where I started, the two official sources are the Security of Critical Infrastructure Act 2018 on legislation.gov.au and the CISC factsheet on the risk management program at cisc.gov.au. They are dry but they are the real text.

tags
#Cybersecurity#SOCI#CIRMP#Critical Infrastructure#AI Governance