Australian businesses must now implement risk management programs for critical infrastructure assets under new rules introduced on February 17, 2023. Organizations must be able to meet these new rules before August 17, 2023.

The update to the Security of Critical Infrastructure Act 2018 (SOCI Act) aims to identify and protect critical infrastructure assets (CI assets) from a range of “hazards” including cyber and information security events.

What’s Changed and Why

The updated SOCI Act will improve the resilience of Australia’s critical infrastructure. New Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (CIRMP Rules) enforce risk management programs to identify and protect CI assets. 

The CIRMP Rules establish a risk framework to identify and respond to risks associated with:

  • Cyber and information security hazards — businesses must also comply with recognized security standards such as ISO/IEC 27001 or NIST’s Framework for Improving Critical Infrastructure Cybersecurity by August 17, 2024.
  • Personnel hazards — the CISC recommends organizations use a new AusCheck background checking service for recruiting employees identified as critical workers.
  • Supply chain hazards — businesses need to understand their supply chain including all major suppliers and any further suppliers supporting them.
  • Physical security and natural hazards — the rules clarify that organizations must be able to protect CI from unauthorized physical access and the effects of natural disasters.

According to the CISC’s guidance, “There is no prescribed format for a CIRMP, and nor is the CIRMP intended to supplant existing risk management processes. Rather, responsible entities are encouraged to incorporate existing risk management frameworks and processes into the CIRMP.”

Where the CIRMP Rules Apply

The CIRMP Rules apply to organizations responsible for CI assets within the following industry sectors: communications; data storage or processing; energy; financial services; food and grocery; healthcare and medical; transportation; water and sewerage.

The Rules are restricted to defined asset classes for each industry sector, but extending the risk management program to cover all critical and sensitive assets and data is good practice.

CIRMP and Data Discovery

While the CIRMP Rules directly apply to data storage and processing providers, businesses must protect information relating to CI assets under the SOCI Act. Such business critical data in the wrong hands could expose a CI asset and result in harms the new rules aim to address. 

Protecting CI assets starts with the data. Data discovery helps businesses identify where all business critical data is stored. It provides an inventory of data assets to be included in a risk management program, where risks can be identified and mitigated effectively.

Ground Labs’ Enterprise Recon offers customizable discovery to identify any type of business critical data across on-premises and cloud-based environments, as well as sensitive and personal information.

The Timeline for Compliance

Businesses have six months to implement a risk management program, running from February 17, 2023 to August 17, 2023. Organizations that need to implement a cybersecurity standard have an additional 12 months to achieve compliance.  

The new rules also require businesses to submit an annual report, approved by their board, to industry regulators. The first report should be submitted between June 30, 2024 and September 28, 2024.

To find out how Ground Labs can help you meet the new CIRMP Rules, book a demo and meet with one of our experts.

Want to keep up with all our blog posts? Subscribe to our newsletter!