What is a Critical Infrastructure Risk Management Program (CIRMP) — and does your organisation need one?

If you operate in one of Australia's 11 critical infrastructure sectors, there's a good chance the CIRMP obligation already applies to you. And if you haven't implemented one yet, the window to do so without regulatory consequences has closed.

Here's what you need to know.

What is CIRMP?

A Critical Infrastructure Risk Management Program (CIRMP) is a structured framework that responsible entities must have in place under Part 2A of the Security of Critical Infrastructure Act 2018 (SOCI Act). It requires you to identify, assess, and manage the risks to your critical infrastructure assets across four key hazard categories:

• Cyber and information security — protecting systems and data from malicious actors
• Physical security and natural hazards — safeguarding assets from physical threats and environmental events
• Personnel security — managing insider threats and vetting those with access to critical systems
• Supply chain — identifying and mitigating risks from third-party vendors and contractors

Your CIRMP must be documented, kept current, reviewed annually, and approved by your board or governing body. It's not a one-off exercise — it's an ongoing operational commitment.

Who needs a CIRMP?

CIRMP obligations apply to "responsible entities" — organisations that own or operate a critical infrastructure asset in one of the following sectors:

• Energy (electricity, gas, liquid fuels)
• Water and sewerage
• Transport (ports, rail, aviation, freight infrastructure)
• Communications and telecommunications
• Financial services and markets
• Data storage and processing
• Health
• Higher education and research
• Defence industry
• Food and grocery
• Space

The August 2024 deadline for implementing a mandatory cybersecurity framework as part of CIRMP has passed. If your organisation falls within scope and doesn't have a CIRMP in place, you are already non-compliant.

What are the CIRMP reporting obligations?

Each financial year, responsible entities must submit a CIRMP Annual Report to the Department of Home Affairs. The report must:

• Confirm that your CIRMP was up to date at the end of the financial year
• Outline any hazards that affected your assets during the year
• Describe how your CIRMP responded to those hazards and whether it required updating
• Be approved by your board before submission

The reporting window runs from 1 July to 28 September following the end of the financial year. The CISC (Cyber and Infrastructure Security Centre) now has an active audit program in place — meaning non-compliance is no longer just a paperwork risk.

What cybersecurity framework does CIRMP require?

Your CIRMP must align with one of five designated cybersecurity frameworks:

1. The Australian Signals Directorate's Essential Eight
2. NIST Cybersecurity Framework (CSF)
3. ISO 27001
4. The Australian Energy Sector Cyber Security Framework (AESCSF)
5. An equivalent alternative framework (subject to approval)

For energy sector operators, the AESCSF is typically the most relevant choice — it's purpose-built for operational technology (OT) environments and aligns directly with SOCI obligations. For organisations in other sectors, the Essential Eight or ISO 27001 are the most common starting points.

What happens if you're not compliant?

The CISC has moved from an education-first posture to active enforcement. Non-compliance with CIRMP obligations can result in:

• Civil penalties from $44,000 per contravention
• Corporate liability of up to five times that amount
• Mandatory government assistance directions in cases of significant risk
• Reputational exposure if a cyber incident occurs and non-compliance becomes public

The CISC's audit program, which began in earnest during the 2024–25 financial year, means the likelihood of being selected for review is increasing as the program matures.

How do you build a CIRMP?

A compliant CIRMP typically follows this sequence:

1. Asset scoping — Confirm which of your assets qualify as critical infrastructure under the SOCI Act
2. Hazard identification — Map risks across all four hazard categories for each asset
3. Gap assessment — Benchmark your current controls against your chosen cybersecurity framework
4. Roadmap — Prioritise remediation activities with clear ownership and timelines
5. Documentation — Formalise the program in a board-approved document
6. Annual review — Build a continuous review cycle aligned to the reporting calendar

This is where working with a managed service provider that understands both the SOCI Act and the underlying technology pays off. The documentation requirement is one thing — but demonstrating genuine operational alignment is what holds up under audit.

Where does ASE Tech fit in?

ASE Tech works with Australian critical infrastructure operators to implement and manage the cybersecurity controls that underpin a compliant CIRMP. Our work covers identity and access management, SIEM, network security, continuous vulnerability scanning, OT security, and endpoint detection — the building blocks of a defensible security posture under any of the recognised frameworks.

We also provide gap assessments benchmarked against the AESCSF and Essential Eight, and can support your organisation through the CISC audit process.

If you're not sure whether your organisation is in scope, or you have a CIRMP in place but aren't confident it would hold up to scrutiny, book a call with our team for an initial assessment.