A supply chain is only as strong as its weakest known link
Australia’s critical infrastructure sectors depend on complex and interlinked supply chains that now sit at the centre of national resilience.
This article describes an eight-step framework for risk-based supply chain mapping and categorisation aligned with theSecurity of Critical Infrastructure Act 2018 (SOCI Act) and its subordinate Rules, designed to move organisations from compliance to assurance.
The expanding risk and regulatory horizon
The latest Critical Infrastructure Annual Risk Review (2025) highlights a key trend: Australia’s supply chains are long, concentrated, and increasingly opaque. Interconnected service providers now sit at the intersection of security, reliability, and economic continuity, and, therefore, at the heart of national security risk.
The SOCI Act and its subordinate Rules – the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 (CIRMP Rules) and the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (TSRMP Rules) – have transformed the importance of this intersection into regulation. Together, they make supply chain resilience a formal requirement across all relevant critical infrastructure sectors.
Both sets of Rules operationalise obligations under Part 2A of the SOCI Act by requiring responsible entities to establish, maintain, and regularly review a Critical Infrastructure Risk Management Program (CIRMP) that identifies, mitigates, and manages hazards, including those originating within the supply chain. In doing so, they elevate supply chain assurance to the same level of importance as cyber, personnel, and physical security.
Section 10 of the CIRMP Rules mandates that responsible entities must implement processes and systems to “minimise or eliminate” material risks arising from unauthorised access, exploitation, misuse, or disruption of the supply chain, and from overreliance on particular suppliers. It also requires entities to identify and list their major suppliers and describe the specific supply chain hazards that could impact critical functions. The Rules explicitly define a supply chain hazard as including malicious insiders or external actors who exploit or disrupt the chain, underscoring that enhancing supply chain security is now a core protective security obligation.
Similarly, section 14 of the TSRMP Rules 2025 mirrors this approach for telecommunications assets, requiring responsible entities to establish processes that “minimise or eliminate” unauthorised access, interference, misuse of privileged access, and dependencies on major suppliers. It further requires ongoing mitigation of hazards that could compromise network integrity or the continuity of essential communications infrastructure.
Together, these frameworks make clear that under the SOCI regulatory regime, supply chain security is not discretionary but statutory. By embedding these requirements directly within the CIRMP and TSRMP frameworks, the Government has formalised supply chain assurance as a central element of critical infrastructure protection.
This shift marks a broader transformation in how supply chains are viewed. Once treated primarily as a procurement or commercial matter, they are now recognised as a fundamental pillar of enterprise risk management and protective security.
Yet many organisations still struggle with implementation – how to map, tier, and assure suppliers in a defensible and repeatable way. The following risk-based Supply Chain Mapping and Categorisation Framework provides a practical approach that is both proportionate to the risk and aligned with the intent of the SOCI regime.
Step 1: Establish governance and oversight
Effective supply chain assurance begins with governance. Under the SOCI Act and its subordinate Rules, the Board and accountable officers are responsible for managing supply chain hazards. Governance defines who maintains the supplier register, approves criteria for supplier tiering, and reviews assurance results.
Clear ownership across procurement, risk, and security functions ensures decisions are consistent and traceable. A defensible governance model means that when a regulator asks “who decides, and why?” – the answer is immediate and documented.
Step 2: Understand supply chain threats and risks
Mapping starts by defining what is in scope. This means identifying all providers, direct and indirect, whose failure to supply could affect a critical function, asset, or component. The boundary includes managed service providers, maintenance contractors, technology vendors, and any third parties handling data, access, or assets.
Once the boundary is clear, the next step is to understand the threats that can emerge along it – malicious insiders, compromised software updates, service interruptions, or data breaches within the supply chain. These threats are shaped by each supplier’s role, level of access, and geographic or legal exposure. Assessing them requires recognising not only external adversaries but also systemic weaknesses, such as over-reliance on single vendors, opaque subcontracting, or inadequate assurance processes.
Defining the boundary and examining these threat pathways clarifies where the organisation is most exposed and what needs protection first. It ensures that hidden or secondary suppliers are not excluded from oversight and that the eventual risk-based tiering reflects real operational dependencies rather than contractual assumptions.
Step 3: Map the supply chain – identify direct and sub-tier relationships
Once the boundary is set, build a consolidated supplier register that connects services, contracts, and critical functions. This register becomes the foundation for risk analysis, assurance planning, and CIRMP reporting.
The register should capture key information – who provides what, which systems or sites they support, the level of access or control they hold, and where the service is delivered. Capturing both Tier-1 (direct) and sub-tier (indirect)relationships reveals dependencies that may sit outside the organisation’s immediate oversight.
Mapping suppliers in this way often exposes risk concentration, for example, reliance on a single jurisdiction, vendor, or technology — and highlights areas where disruption, misuse of access, or non-compliance could propagate through the chain.
For many organisations, this step alone represents a major maturity gain: turning fragmented procurement and contract data into a coherent, risk-informed picture of operational dependency understood at enterprise level.
You cannot protect what you cannot see – mapping your supply chain is the first act of assurance.
Step 4: Apply the six risk-based criteria
Proportionality sits at the core of the framework. Each supplier should be assessed against at least six key criteria that reflect international standards and Australian regulatory expectations:
1. Operational criticality: Can this supplier disrupt or stop a critical function?
2. Substitution difficulty: How easily could the supplier or service be replaced?
3. Privileged access: Does the supplier, or its personnel, have access that could be misused or exploited?
4. Geographic exposure: Are there jurisdictional or sovereignty risks linked to location or ownership?
5. Assurance maturity: Can the supplier demonstrate effective controls, rather than merely assert them?
6. Modern slavery risk: Are there ethical or human-rights vulnerabilities in their operations or supply chain?
Applying these criteria produces a defensible, risk-based categorisation model that assigns each supplier a level of assurance priority — typically ranging from Category 1 (Cat 1) (critical, irreplaceable) to Category 4 (Cat 4) (non-critical).
This tiering should not be confused with supply-chain relationship tiers (such as Tier 1 direct supplier or Tier 2 sub-supplier), which describe the structure of the chain itself. A supplier deep in the chain may still fall into a higher security-risk category if its failure or compromise could materially affect a critical function.
By applying these six criteria consistently, organisations establish a defensible, proportionate categorisation model that underpins targeted controls and continuous assurance.
Step 5: Assign risk-based categories and validate
Categorisation is not a clerical exercise. Validation workshops that include contract owners, engineers, and operational managers ensure context is applied to each decision. A supplier that appears minor in procurement terms might, in practice, hold administrative access to a SCADA network – a risk deserving Cat 1 treatment.
This collaborative process ensures the register reflects operational reality, not just contract value. It also provides a defensible record of how supply-chain risks were considered and proportionate controls determined – an expectation under the CIRMP Rules. The outcome is a verified, risk-informed supplier register that becomes a cornerstone of the organisation’s assurance evidence base.
Step 6: Assign controls by risk category
Once categories are confirmed, assurance activities should scale accordingly. High-category (major) suppliers warrant greater verification, such as formal audits, comprehensive security questionnaires, and contractual clauses referencing and enforcing CIRMP obligations. Medium-category suppliers might require annual attestations or spot checks. Low-category suppliers may be covered through standard procurement terms and basic due diligence.
This approach ensures proportionality, focusing resources where compromise would cause the greatest harm. Not all suppliers present the same exposure, and not all require the same level of scrutiny. The goal is to achieve defensible and effective assurance — evidence that oversight matches risk.
For example, a water utility may classify its SCADA platform vendor and chemical supplier as Cat 1 (critical), requiring full assurance packs and contractual audit rights. Regional maintenance contractors may fall into Tier 2 (high), needing regular performance reviews and screening evidence. Lower-tier service providers, such as cleaning or catering suppliers, might still include minimum security and confidentiality clauses but without extensive monitoring.
Step 7: Integrate with enterprise processes
Supply-chain risk is never static. Ownership changes, emerging vulnerabilities, new technology, and geopolitical shifts can alter exposure overnight. Regular reviews and defined change triggers are vital to maintain accuracy and assurance.
Cat 1 (critical) suppliers should be reassessed quarterly, while a full review cycle across all tiers should occur at least annually or following major operational or structural changes. This turns supplier management from a one-off compliance exercise into a continuous assurance process.
Regular updates also ensure that the organisation’s CIRMP remains current, evidence-based, and defensible, demonstrating that controls evolve in line with changing risk conditions.
Step 8: Review, report and improve
The final step is integration. Supply-chain mapping and categorisation should not operate in isolation; it must connect with the organisation’s enterprise risk register, CIRMP, procurement processes, and board reporting. It must become business as usual.
Integration delivers traceability and assurance visibility. Boards can demonstrate that supply-chain hazards are identified, prioritised, and managed; regulators can verify proportional controls; and auditors can trace each control to its justification and supporting evidence.
Continuous feedback from reviews and audits should feed improvement—strengthening supplier assurance, refining criteria, and embedding supply-chain risk management into the organisation’s protective-security culture.
From compliance to assurance
The SOCI framework represents a shift from policy statements to operational assurance. Regulators no longer ask whether an organisation has a process — they ask whether the process works, whether it is documented, and whether it is applied proportionately to risk.
A risk-based supply chain mapping framework provides the structure and evidence to answer those questions. It brings clarity to complex supplier networks and supports genuine resilience across all sectors — from energy and water to transport, health, and communications.
Conclusion
Supply chain mapping is more than a regulatory requirement. It is the foundation of trust and assurance in an increasingly interconnected, and so vulnerable, world. It is essential for a secure and successful enterprise.
When organisations understand who supports their critical functions, how dependencies align, and where vulnerabilities lie, they move from reactive risk management to proactive control.
This eight-step framework offers a practical path to that goal: a system that connects governance to evidence, procurement to security, and compliance to resilience.
Ultimately, the strength of Australia’s critical infrastructure depends not only on individual entities, but on the integrity of the supply networks that sustain them. Mapping and categorisation make that integrity visible — and verifiable.
