Executive framing: why this distinction matters now
As organisations subject to the Security of Critical Infrastructure Act 2018 (SOCI Act) continue to mature in their implementation of the Critical Infrastructure Risk Management Program (CIRMP), many Boards and executives are now asking a sensible question: “Are we compliant, and what does CIRMP maturity actually tell us?”
Yet, before embarking on any assessment of maturity, it is critical to distinguish between two concepts that are often conflated: compliance and effectiveness.
A responsible entity can comply with the SOCI Act by meeting the relevant Positive Security Obligations (PSO) for CIRMP. The entity can have a formally adopted CIRMP, operate a review cycle for its CIRMP, and submit a Board-approved annual attestation to the regulator by the deadline. All of this may be entirely accurate and yet still leave the organisation exposed to unmanaged or poorly understood security risks.
Compliance can exist without confidence. The presence of a CIRMP does not, of itself, demonstrate that security risk is being managed effectively.
Effectiveness is about whether security risk is genuinely being eliminated, or minimised to a level the organisation is prepared, and entitled, to accept.
For Boards charged with stewardship of critical infrastructure assets, this distinction is no longer theoretical. It goes directly to assurance, accountability, and resilience.
The purpose of the SOCI Act: national security, not administrative compliance
The SOCI Act is not an administrative reporting regime. It is a national security framework, designed to ensure that critical infrastructure assets are protected from foreseeable hazards that could compromise the availability, integrity, reliability, or confidentiality of essential services the asset produces.
Importantly, the SOCI regime is principles based and outcomes focused: it does not attempt to prescribe a single control set for every entity; instead it requires judgement, proportionality, and context in how material risks are identified and addressed.
This principles-based design places responsibility squarely on Boards and executives. The SOCI Act does not ask whether a control exists; it asks whether material risks are being identified, minimised or eliminated so far as is reasonably practicable, given the organisation’s operational context.
The CIRMP is the mechanism through which this obligation is expressed. But the legislative intent is clear: security effect and outcomes matter more than artefacts for display.
CIRMP compliance: what “good” looks like on paper
CIRMP compliance is both necessary and valuable. It requires a responsible entity to adopt, maintain and comply with a written risk management program, manage it as a live program, and attest annually, at Board level, to its operation.
This delivers important governance benefits. It creates visibility, enforces discipline, and brings security risk into formal Board oversight. For many organisations, CIRMP implementation has been the first time that personnel, supply chain, cyber, physical and natural hazards have been considered as a collective rather than as silos (or perhaps not considered meaningfully at all).
However, compliance primarily confirms existence and process.
It demonstrates that a CIRMP is in place, that roles and methodologies are described, and that reviews occur. What it does not demonstrate is whether the controls described are effective, proportionate, or aligned to the organisation’s real threat environment. The presence of a CIRMP does not demonstrate a security culture.
A compliant CIRMP can therefore coexist with controls of unknown performance, outdated assumptions, or untested resilience.
Effectiveness: what actually reduces security risk to critical assets
Effectiveness in security risk management is about security effect, whether mitigations reduce the likelihood or consequence of a threat to within acceptable bounds.
Effective security risk management requires organisations to move beyond describing controls and instead understand:
- which threats are most credible for their assets
- where vulnerabilities exist
- how controls perform in practice
- whether detection and reporting mechanisms, if they exist, work as intended, and
- how quickly the organisation can respond if risk controls fail.
This reframes maturity. The key question becomes not “Do we have something in place?” but “Does what we have in place actually work?”
For Boards, effectiveness is inseparable from assurance. It is the difference between passive comfort and informed confidence.
Risk appetite and risk tolerance: where leadership judgement matters
Effectiveness cannot be assessed in a vacuum. It must be assessed against risk appetite and risk tolerance.
Risk appetite reflects the level of risk an organisation is willing to accept in pursuit of its objectives. Risk tolerance defines the operational thresholds within which the organisation can function safely and reliably.
These concepts matter deeply under the SOCI Act.
Where a material risk can be eliminated, and doing so is reasonably practicable, elimination is expected. Where elimination is not reasonably practicable, the focus shifts to minimisation, and it is here that risk appetite becomes relevant. Risk appetite does not excuse inaction; it shapes decisions about residual risk once minimum expectations have been met. Critically, an entity’s risk posture cannot justify accepting a risk the legislation requires it to mitigate so far as is reasonably practicable.
A mature CIRMP therefore demonstrates:
- that risk treatment decisions are deliberate (based on evidence),
- that residual risks are understood, and
- that those residual risks sit within leadership-approved tolerance.
Without this alignment, CIRMP security maturity assessments will likely become abstract scoring exercises, disconnected from the decisions Boards are accountable for making and not used to continuously improve the protection of critical assets and operations.
SOCI is not foreign: protective security is already embedded as part of business management systems
For many executives, SOCI obligations can feel imposed from outside the business. In practice, most organisations already manage significant elements of protective security though they may not perceive it that way.
Information security controls, access management, background checking, contractual safeguards, fraud controls, resilience planning and business continuity arrangements are familiar features of modern enterprises. The CIRMP does not replace these systems; it provides a framework for thinking about protective security, connecting and elevating existing controls through a threat-driven, asset-focused lens.
Seen this way, SOCI does not introduce an entirely new discipline. It does demand greater coherence, visibility and accountability for practices that already exist, and elevates them to Board-level concern because the consequences of risks being realised extend beyond the organisation itself to the community that depends on the critical infrastructure asset.
The illusion of compliance: comfort versus confidence
One of the most significant risks in SOCI implementation is the illusion of compliance.
Procedural audits, checklists and attestations can create a sense of reassurance. Ticking the box that a CIRMP exists, has been reviewed, and has been approved can feel like progress. In some cases, it can feel like risk has been addressed.
Yet this comfort can be misleading.
Pentagram has observed across the market that a CIRMP may “pass” a procedural review or audit while still being ineffective in protecting the critical asset, creating false assurance by validating compliance artefacts rather than evaluating security effectiveness in real operational contexts.
Confidence, by contrast, comes from understanding how controls operate under pressure, how assumptions are tested, and how security risks evolve over time.
For Boards, this distinction matters because false assurance can delay investment, obscure emerging threats, and leave organisations exposed at precisely the moment resilience is most needed.
From compliance to confidence: what Boards and executives should ask
To move beyond compliance and towards confidence, Boards and executives should challenge their organisations with different questions:
- Do we understand our most credible threats to critical assets?
- How do we know our mitigations are effective?
- Where are we relying on assumptions rather than evidence?
- Are residual risks clearly articulated and within tolerance?
- Would we see and recognise early indicators of threat activity?
- Are security risks prioritised alongside other enterprise risks?
These questions reframe CIRMP security maturity as a governance and assurance exercise, not a regulatory one.
Conclusion: compliance is the starting line, not the finish
Compliance with the SOCI Act and the CIRMP requirements is important. It provides the foundation for transparency, accountability and regulatory assurance. But it is only the starting line.
Effective security risk management, the kind that genuinely protects critical assets and the communities that rely on them, requires deliberate judgement, ongoing challenge, and leadership engagement. It requires Boards to look beyond artefacts and focus on outcomes, confidence and risk tolerance.
Ultimately, the true measure of success under the SOCI Act is not whether a CIRMP exists, but whether it works.
