Choosing the right managed service provider for SOCI Act compliance is one of the most consequential vendor decisions a critical infrastructure operator will make. Get it right and you have a partner who strengthens your security posture, keeps you ahead of regulatory change, and can demonstrate compliance under audit. Get it wrong and you're paying for generic IT managed services dressed up with SOCI branding — and you'll find out the hard way when the CISC comes knocking.
The SOCI compliance market in Australia has grown significantly since the CIRMP mandatory deadline passed in August 2024. Many MSPs now claim SOCI expertise. Very few have the depth of experience, the regulatory knowledge, and the technical capability to back it up.
These ten questions will help you cut through the noise.
1. Are you yourself regulated under the SOCI Act?
This is the first and most telling question. An MSP that is itself a responsible entity under the SOCI Act — operating under the same framework they're helping you navigate — has a fundamentally different level of accountability than one offering SOCI compliance as a checkbox service.
Being regulated under SOCI means the MSP has had to implement and maintain its own CIRMP, submit to CISC oversight, and operate its own security controls to the standard it recommends to clients. That's not theoretical experience — it's operational.
Ask specifically: which SOCI Act obligations apply to your organisation? How do you manage your own CIRMP? What framework have you adopted for your own cybersecurity obligations?
2. Can you conduct an AESCSF maturity assessment?
If you're in the energy sector — electricity, gas, or liquid fuels — the Australian Energy Sector Cyber Security Framework (AESCSF) is almost certainly your most appropriate CIRMP cybersecurity framework. Any MSP claiming SOCI expertise in the energy sector should be able to conduct a structured AESCSF gap assessment, assign maturity scores across all domains, and produce a remediation roadmap aligned to your CIRMP reporting cycle.
Be cautious of MSPs who default to the Essential Eight or ISO 27001 for energy sector clients without discussing whether the AESCSF is more appropriate. It usually is.
3. Do you have genuine OT security experience — not just IT security applied to OT?
Most MSPs are built around corporate IT environments. Operational technology — the SCADA systems, industrial control systems, and PLCs that physically control critical infrastructure — requires a fundamentally different approach. Patching cycles, network architecture, monitoring tools, incident response decisions — all of it is different in an OT environment, and getting it wrong can cause operational disruption.
Ask for specific examples of OT security engagements. What OT-specific monitoring tools do they use? How do they handle legacy devices that can't be patched? Have they worked in your type of environment — energy, water, transport — before?
For a deeper understanding of what genuine OT security capability looks like, see our guide: OT security for critical infrastructure: what Australian operators need to know in 2026.
4. Do you understand the CIRMP annual reporting cycle — and can you support it?
Your Critical Infrastructure Risk Management Program isn't a set-and-forget document. It requires board approval, annual review, and a formal annual report submitted to the Department of Home Affairs between 1 July and 28 September each year. The 2025–26 annual report deadline is approaching.
A genuine SOCI compliance partner should be able to help you structure your CIRMP documentation, ensure controls are evidenced (not just written down), prepare the annual report, and support board-level reporting on your compliance posture. If the MSP focuses only on the technical controls without engaging with the governance and reporting cycle, they're solving half the problem.
5. Are you ISO 27001 certified?
ISO 27001 certification isn't a SOCI requirement — but it's a meaningful signal about an MSP's own information security maturity. An MSP that holds ISO 27001 certification has had its own security management system independently audited and verified. That means your sensitive infrastructure data, access credentials, and compliance documentation are being handled by an organisation that takes information security seriously enough to certify to it.
It also means the MSP has direct experience implementing and maintaining ISO 27001 — one of the five designated cybersecurity frameworks for CIRMP. If you choose ISO 27001 as your CIRMP framework, your MSP should know it intimately because they operate it themselves.
6. How do you handle the IT/OT convergence challenge?
Most critical infrastructure environments are neither purely OT nor purely IT — they're increasingly converged. Corporate networks connect to operational networks. Cloud-based monitoring platforms connect to field devices. Vendor remote access opens pathways into control systems. This convergence creates risk that sits in the gap between IT security teams and operations teams.
Ask the MSP how they approach network segmentation in converged environments, how they monitor traffic across IT/OT boundaries, and how they handle vendor and contractor remote access to OT systems. The answer will quickly reveal whether they have genuine experience managing this complexity or whether they're applying IT security thinking to an OT problem.
7. Do you have 24/7 monitoring and incident response capability?
A cybersecurity incident affecting critical infrastructure doesn't keep business hours. Under the SOCI Act, serious incidents must be reported to the Australian Signals Directorate within 12 hours. That requires a monitoring and response capability that operates around the clock, with clear escalation paths and pre-agreed incident response procedures.
Ask specifically: what is your SOC coverage model? Is monitoring performed by your own analysts or outsourced? What is your average time to detect and escalate a threat? Can you demonstrate your incident response process for an OT-affecting event?
8. Can you support both the cybersecurity component and the broader CIRMP obligations?
CIRMP compliance is not just a cybersecurity exercise. The program covers four hazard categories — cyber and information security, physical security and natural hazards, personnel security, and supply chain. While an MSP's primary contribution will be to the cybersecurity component, a good SOCI compliance partner understands the full framework and can help you integrate cybersecurity controls with the broader governance structure.
In particular, ask whether they can support supply chain risk management — vendor assurance, contractor access controls, and third-party security obligations — since this is consistently one of the most underdeveloped areas in CIRMP programs.
9. How are you tracking the 2026 regulatory changes?
The SOCI regulatory environment in 2026 is not static. The first Independent Review of the SOCI Act was delivered in January 2026. The Minister for Home Affairs opened consultation on enhanced Ministerial Directions Powers and an Exposure Draft of enhanced CIRMP Rules in March 2026. IoT security standards took effect in March 2026. These changes have direct implications for responsible entities in energy, water, freight, and other sectors.
A genuine SOCI compliance partner should be actively monitoring and communicating these changes to clients — not waiting for clients to ask. If your prospective MSP can't speak fluently to the current state of the regulatory reform program, that's a red flag.
For a current summary of what's changed, see our SOCI Act compliance checklist — mid-2026 edition.
10. Can you show evidence from comparable critical infrastructure engagements?
Ultimately, the most important question is whether the MSP has actually done this work before — in environments like yours. References, case studies, and specific examples of SOCI compliance engagements are the best evidence available.
Be specific: have they worked with assets in your sector? Have they supported a CIRMP through a CISC audit? Have they delivered AESCSF uplift for a renewable energy operator or managed OT security for a water utility? Anonymised case studies are acceptable — what you're looking for is demonstrated operational experience, not generic capability statements.
The right partner changes the equation
SOCI compliance doesn't have to be a burden. When you're working with a partner who genuinely understands the regulatory framework, has the technical depth to implement the underlying controls, and operates to the same standards they recommend — compliance becomes operational confidence.
ASE Tech is itself regulated under the SOCI Act, ISO 27001 certified, and has worked with Australian critical infrastructure operators across energy, water, transport, and telecommunications for over 20 years. We connect and secure more than 20% of Australia's renewable energy assets and understand what it means to operate — not just advise — in a SOCI-regulated environment.
To see how we approach SOCI compliance in practice, visit our SOCI Act compliance services page or our cybersecurity services page. Or contact our team directly to discuss your current position.
.png)