Security of Critical Infrastructure: From Attestation to Assurance – What the New CIRMP Annual Reporting Questions Signal About the Future of Critical Infrastructure Governance

Recently, many critical infrastructure responsible entities covered by the Security of Critical Infrastructure Act 2018 (SOCI Act) are likely to have noticed a significant evolution in the annual Critical Infrastructure Risk Management Program (CIRMP) reporting process, with the FY2025–26 reporting cycle signalling a broader shift in regulatory expectations surrounding governance, resilience, and Board accountability.

The revised annual reporting form contains expanded and more detailed questions relating to Board oversight, supply chain resilience, governance arrangements, assurance mechanisms, operational testing, and organisational maturity. While at first glance these changes may appear administrative, the evolving structure and focus of the questions reveal something more significant: a shift in how Government increasingly expects critical infrastructure security and resilience to be governed.

The questions regulators ask are rarely accidental. Over time, they often provide insight into where maturity gaps continue to exist across industry and where future regulatory expectations are heading. The regulator is uniquely positioned to identify maturity gaps.

Viewed collectively, the changes suggest a broader movement away from static compliance documentation and toward demonstrable resilience, operational effectiveness, governance maturity, and evidence-based assurance. That is, a move from having a CIRMP as a SOCI Act obligation to having a CIRMP that actually delivers security effects.

For Boards and senior executives, this shift carries important implications.

From Documentation to Demonstrable Effectiveness

When the CIRMP obligations were first introduced, many organisations understandably focused on establishing the foundational components of compliance. Policies were developed, governance structures established, risk identification and assessment processes implemented, and reporting arrangements formalised. For many entities, this represented a substantial uplift in organisational capability and visibility of critical infrastructure risks.

However, this latest reporting approach increasingly appears to move beyond asking whether organisations have a CIRMP, toward whether organisations can demonstrate that the CIRMP is functioning effectively under realistic operating conditions.

The newly added questions appear increasingly focused on how organisations validate controls in practice, how lessons learned are incorporated into governance processes, how operational resilience is tested, and how critical dependencies are identified and managed across the enterprise. Collectively, the changes suggest growing regulatory interest in operational effectiveness rather than the mere existence of frameworks or policies.

This reflects a broader shift occurring globally across geopolitical threats, operational resilience, cyber governance, and critical infrastructure regulation. Increasingly, regulators are not only interested in whether frameworks exist, but whether organisations can demonstrate resilience under stress.

This distinction is important.

A well-written CIRMP does not necessarily indicate that an organisation:

• can detect emerging threats quickly

• understands cascading impacts

• can maintain operations during disruption

• has effective escalation pathways

• can recover from failure in a timely manner.

The expanded reporting approach suggests a growing expectation that resilience must be operationalised, tested, governed, and evidenced.

Boards Are Being Drawn Closer to Security Governance

One of the clearest trends emerging from the updated reporting process is the increasing focus on Board oversight and executive accountability.

Questions relating to governance structures, assurance mechanisms, escalation processes, operational visibility, and executive oversight suggest an expectation that Boards are not merely endorsing annual CIRMP reports, but actively governing resilience and security risk.

This reflects broader governance developments occurring across Australia. Boards are increasingly expected to exercise informed oversight of non-financial risks, including cyber security, operational resilience, supply chain disruption, technology concentration risk, insider threats, and broader organisational vulnerabilities.

For critical infrastructure entities, these expectations are becoming more significant given the potential national consequences of major disruptions.

Importantly, this does not mean Boards are expected to become operational security specialists. Rather, the emerging expectation appears to be that Boards understand how the organisation identifies and prioritises critical security risks, how management obtains assurance that security controls are effective, what vulnerabilities remain, and whether the organisation remains within its stated risk tolerance.

This represents an important shift from compliance-focused attestation toward risk-based and evidence-based assurance. This is the shift required to protect assets and operations in the dynamic threat environment.

Annual Board sign-off may increasingly be viewed not as the end of the governance process, but as the outcome of an ongoing assurance framework supported by testing, reporting, exercises, operational visibility, and executive challenge.

For many organisations, this will require a corresponding uplift in the quality of information provided to Boards.

Technical reporting and control-based metrics alone are unlikely to provide sufficient visibility into resilience exposure. Boards increasingly require strategic insight into operational dependencies, disruption scenarios, concentration risks, interdependencies, escalation pathways, and the potential consequences of failure to equip them to make strategic decisions and direct the executive.

Perhaps most importantly, Boards increasingly need visibility of uncertainty, not simply confirmation that controls exist.

Supply Chain Security Has Become a Board-Level Resilience Issue

The expanded focus on supply chain governance within the revised reporting process is particularly notable.

Historically, many organisations viewed supply chain risk primarily through procurement, vendor management, commercial continuity, or cyber security lenses. That perspective is changing rapidly.

Recent fuel disruption concerns, geopolitical instability, cyber incidents affecting third-party providers, cloud concentration risks, and growing dependency on external technology and logistics providers have highlighted the extent to which operational resilience now depends on organisations outside an entity’s direct control. This comes on top of similar effects brought about by the COVID-19 pandemic which shows such global supply shocks are not rare but need to be recognised as a risk.

In many sectors, Boards are increasingly being asked to govern dependencies they do not directly own.

This increasingly includes dependencies on cloud providers, telecommunications networks, outsourced operational technology vendors, logistics providers, workforce providers, fuel supply chains, and critical software platforms, many of which have become deeply embedded in operational delivery.

The updated reporting questions appear to reflect growing concern regarding supplier criticality, concentration risk, contingency planning, resilience testing, and visibility of operational dependencies.

This represents an important governance shift.

Supply chain security is no longer simply a procurement issue. It is increasingly being treated as an operational resilience and national security issue.

Many organisations are still developing maturity in this area. Common challenges include limited visibility of Tier 2 and Tier 3 suppliers, over-reliance on single providers, fragmented ownership of supplier risk, inconsistent resilience expectations across procurement and operational functions, and limited testing of supplier disruption scenarios.

For Boards, the key issue is often not whether disruptions are possible, but whether the organisation understands the operational consequences if they occur.

The growing focus on supply chain resilience also reflects a broader reality confronting many critical infrastructure entities: resilience can no longer be assessed solely within organisational boundaries. Increasingly, operational continuity depends on the resilience of interconnected suppliers, service providers, digital platforms, and external infrastructure.

Assurance, Testing and Operational Visibility

Another important theme emerging from the latest reporting process is the apparent increase in emphasis on assurance and operational validation.

Questions relating to exercises, incident response, lessons learned, assurance activities, and governance oversight suggest that the regulator is increasingly interested in how organisations know their controls are operating effectively in practice.

Historically, many organisations relied heavily on policy reviews, annual reporting cycles, self-assessments, and management attestations. Increasingly, however, there appears to be greater regulatory expectation around operational exercises, realistic scenario testing, post-incident reviews, remediation tracking, independent assurance, and continuous improvement.

This aligns with broader resilience governance trends emerging globally.

Organisations are increasingly expected to demonstrate not only that controls exist, but that they:

• function under pressure

• support effective decision-making

• enable operational continuity

• can detect failures early enough to minimise cascading impacts.

For Boards and executives, this creates an important governance challenge.

Assurance cannot rely solely on assumptions that systems will operate as intended, suppliers will remain available, or key personnel will always be present during disruption scenarios.

Operational resilience increasingly depends on structured testing, visibility, and evidence.

This is particularly important given that many major operational disruptions are not caused by a single catastrophic failure, but by the accumulation of interconnected vulnerabilities across technology, personnel, supply chains, governance processes, and operational dependencies.

Questions Boards and Executives Should Now Be Asking

The evolution of the CIRMP annual reporting regime provides a useful opportunity for organisations to reassess the quality of their governance discussions.

Increasingly, effective Board conversations are moving beyond compliance status updates and toward questions of exposure, security risk, resilience, maturity, assurance, and operational consequence.

Some practical questions Boards and executives may wish to consider include:

• What evidence supports our annual attestation?

• How does the Board obtain assurance that CIRMP controls are operating effectively in practice?

• Do we understand our critical operational dependencies and concentration risks?

• Have we tested realistic disruption scenarios involving key suppliers or technology providers?

• How quickly would we detect and escalate a significant operational disruption?

• Are resilience risks integrated into enterprise risk governance and reporting?

• Are we relying on resilient systems, or on the knowledge and availability of specific individuals?

• How are lessons learned from incidents, exercises, or near misses incorporated into the CIRMP?

• What vulnerabilities would become most visible during a prolonged operational disruption?

• Could management confidently demonstrate the effectiveness of the CIRMP to regulators today?

These discussions are often more valuable than reviewing compliance checklists alone.

What Mature Organisations Are Starting to Do Differently

As regulatory expectations evolve, more mature organisations are beginning to shift from compliance-driven CIRMP programs toward integrated resilience governance models.

Increasingly, these organisations are:

• integrating CIRMP into enterprise risk governance

• improving Board reporting on operational resilience exposure

• mapping critical dependencies and concentration risks

• assessing and evaluating CIRMP security maturity

• strengthening supplier assurance processes

• conducting realistic operational exercises

• improving escalation pathways

• aligning resilience planning with risk appetite

• embedding cross-functional accountability across security, operations, procurement, technology, and workforce management.

Importantly, these organisations are increasingly treating CIRMP as part of broader organisational resilience strategy rather than as a standalone compliance obligation. The CIRMP is best deployed as woven into the fabric of business operations rather than being seen solely as a security construct.

This shift often improves not only regulatory preparedness, but operational decision-making, executive visibility, incident response capability, and organisational resilience more broadly.

Increasingly, organisations are also seeking more structured ways to assess and evaluate CIRMP maturity across governance, assurance, operational resilience, supply chain security, personnel security, and testing activities. This is helping Boards and executives gain clearer visibility of capability gaps, prioritise investment decisions, and support more informed and defensible attestations.

The Direction of Travel Is Becoming Clear

The revised CIRMP reporting questions should not simply be viewed as administrative expansion.

They provide one of the clearest available indicators of how Government expectations regarding critical infrastructure governance are evolving.

Viewed collectively, the changes suggest a gradual but important shift toward:

• operational resilience

• evidence-based assurance

• governance maturity

• supply chain visibility

• active Board oversight

• demonstrable effectiveness.

Organisations that continue to treat CIRMP as a standalone compliance exercise may increasingly struggle to meet emerging expectations around resilience, assurance, and governance accountability.

The direction of travel appears increasingly clear.

Boards are not merely being asked to approve annual attestations.

They are increasingly being asked to stand behind the organisation’s understanding, governance, and management of critical infrastructure risk.