Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)
Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.
Who must comply
Responsible entities for designated critical infrastructure assets within scope.
What triggers it
Being responsible for a designated critical infrastructure asset.
When due
CIRMP in place; annual report within 90 days of FY end.
Evidence required
Written CIRMP, board approval, hazard register, annual report.
Max penalty
Civil penalties up to $364,000 (1,000 penalty units, body corporate) for CIRMP obligations; $273,000 for the annual report
Summary
Part 2A of the SOCI Act requires responsible entities for designated critical infrastructure assets to adopt, maintain, comply with, and annually review a written CIRMP. The program must identify hazards (cyber, personnel, physical/natural, supply chain) and document mitigations. Board-approved annual report due within 90 days of the end of each financial year.
Enforced by
Source legislation
Topics
Related obligations
- CWLTHReport cyber security incidents to ASD (SOCI)Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- CWLTHComply with SOCI Positive Security Obligation (PSO) per sectorSector-specific cyber + risk obligations under SOCI Part 2.
- CWLTHGovernment cyber incident reporting via ASD ACSCFederal entities + critical infrastructure report cyber incidents to ASD ACSC.
- CWLTHComply with APRA CPS 234 (Information Security)APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
- CWLTHAdopt Essential Eight Maturity Level 2 (federal subcontractors)Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
- CWLTHComply with APRA CPS 220 (Risk Management)APRA-regulated entities must have a comprehensive risk management framework.
Frequently asked questions
- Who must comply with Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)?
- Responsible entities for designated critical infrastructure assets within scope.
- What triggers Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)?
- Being responsible for a designated critical infrastructure asset.
- When is Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP) due?
- CIRMP in place; annual report within 90 days of FY end.
- What is the maximum penalty for Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)?
- Civil penalties up to $364,000 (1,000 penalty units, body corporate) for CIRMP obligations; $273,000 for the annual report
- What evidence is required for Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)?
- Written CIRMP, board approval, hazard register, annual report.
Source: https://cisc.gov.au/legislation-regulation-and-compliance/critical-infrastructure-risk-management-program. Rules Mate is not a law firm. Always verify against the live regulator source before acting.