Rules Mate

Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)

Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.

highcurrentannual

Who must comply

Responsible entities for designated critical infrastructure assets within scope.

What triggers it

Being responsible for a designated critical infrastructure asset.

When due

CIRMP in place; annual report within 90 days of FY end.

Evidence required

Written CIRMP, board approval, hazard register, annual report.

Max penalty

Civil penalties up to $364,000 (1,000 penalty units, body corporate) for CIRMP obligations; $273,000 for the annual report

Summary

Part 2A of the SOCI Act requires responsible entities for designated critical infrastructure assets to adopt, maintain, comply with, and annually review a written CIRMP. The program must identify hazards (cyber, personnel, physical/natural, supply chain) and document mitigations. Board-approved annual report due within 90 days of the end of each financial year.

Enforced by

Source legislation

Topics

cybersocirisk-management

Related obligations

Frequently asked questions

Who must comply with Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)?
Responsible entities for designated critical infrastructure assets within scope.
What triggers Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)?
Being responsible for a designated critical infrastructure asset.
When is Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP) due?
CIRMP in place; annual report within 90 days of FY end.
What is the maximum penalty for Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)?
Civil penalties up to $364,000 (1,000 penalty units, body corporate) for CIRMP obligations; $273,000 for the annual report
What evidence is required for Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)?
Written CIRMP, board approval, hazard register, annual report.

Source: https://cisc.gov.au/legislation-regulation-and-compliance/critical-infrastructure-risk-management-program. Rules Mate is not a law firm. Always verify against the live regulator source before acting.