Rules Mate

SOCI RMP checklist

SOCI Risk Management Program readiness checklist

If you are a responsible entity for an asset in scope of the CIRMP obligation, the Security of Critical Infrastructure Act 2018 (Cth) requires a written Risk Management Program covering cyber, personnel, supply chain and physical / natural hazards, with board approval and annual reporting. This checklist scores your RMP across the four hazard vectors plus governance.

Last verified: 5 June 2026
Question 1 of 1010%
SOCI RMP readiness

Have you confirmed whether you are a responsible entity for an asset in scope of the CIRMP obligation under s 30AB?

11 critical infrastructure sectors are in scope. Energy, water, communications, transport, financial services, healthcare, food and groceries and others.

This checklist is a structured prompt — not legal advice. It cites the relevant Act and section against each item so you can verify the source. Engage a qualified adviser before relying on the output for board, regulator or transaction purposes.

Frequently asked questions

Which sectors are caught by the CIRMP obligation?
Energy, water and sewerage, communications, transport, financial services and markets, healthcare and medical, food and groceries, higher education and research, data storage or processing, defence industry, and space technology. Not every asset in every sector is automatically in scope — the specific asset class definitions in s 12L apply.
What is the difference between a critical and significant cyber incident?
A critical incident has, is having or is likely to have a significant impact on the availability of the asset. A significant incident has, is having or is likely to have a relevant impact. The notification timeframes (12h vs 72h) reflect that distinction.
Do the 2024 cyber reforms change the SOCI obligation?
Yes — they extend the regime to cover data storage systems holding business-critical data and introduce additional uplift powers. Existing RMPs need refreshing to address DSS scope.