Adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)
Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.
Who must comply
Responsible entities for designated critical infrastructure assets within scope.
What triggers it
Being responsible for a designated critical infrastructure asset.
When due
CIRMP in place; annual report within 90 days of FY end.
Evidence required
Written CIRMP, board approval, hazard register, annual report.
Max penalty
Civil penalties up to ~$2.2M for non-compliance
Summary
Part 2A of the SOCI Act requires responsible entities for designated critical infrastructure assets to adopt, maintain, comply with, and annually review a written CIRMP. The program must identify hazards (cyber, personnel, physical/natural, supply chain) and document mitigations. Board-approved annual report due within 90 days of the end of each financial year.
Enforced by
Source legislation
Topics
Source: https://cisc.gov.au/legislation-regulation-and-compliance/critical-infrastructure-risk-management-program. Rules Mate is not a law firm. Always verify against the live regulator source before acting.