August 2025 marks the second anniversary of the Critical Infrastructure Risk Management Program (CIRMP) requirements under the Security of Critical Infrastructure Act 2018 (SOCI Act). Over the past two years, Australia’s critical infrastructure sectors have worked hard to embed CIRMPs as structured, proactive approaches to managing four key hazard vectors: cyber and information security, personnel, supply chain, and physical and natural hazards.
With this anniversary comes a timely reminder: the SOCI Act requires a review of the CIRMP, and a Board-approved annual CIRMP report to the Department of Home Affairs within 90 days of the end of the financial year – no later than by 28 September 2025. This is not merely a compliance formality, it is a governance checkpoint, a maturity milestone, and an opportunity to reflect on whether security risk management is functioning as an integrated, living part of the organisation’s enterprise risk and governance framework.
Annual Review and Board Oversight: Governance in Action
Section 30AG of the SOCI Act sets out specific requirements for the annual CIRMP report. It must be approved by the Board, council, or governing body, confirm that the CIRMP remains current, outline any variations to the program, and demonstrate how risks have been mitigated over the reporting period. The Board approval requirement is deliberate, it signals the expectation that directors will have genuine insight into the CIRMP’s operation and effectiveness, rather than passively endorsing a document.
Directors’ responsibilities under the Corporations Act 2001 require them to act with care and diligence. In the CIRMP context, this means understanding the organisation’s security hazards, the adequacy of controls, and the maturity of risk management practices. Annual reporting is therefore both an assurance process for the Board and an opportunity for management to bring forward evidence, context, and improvement plans.
Security Risk Management at the Heart of CIRMP
The CIRMP is, at its core, a security risk management program. It requires responsible entities to identify, assess, and mitigate risks across the four hazard vectors in a systematic way. This is not an isolated compliance activity, it is most effective when embedded within the organisation’s Enterprise Risk Management Framework (ERMF).
An ERMF provides a structured method for identifying, assessing, and managing all categories of organisational risk – from strategic and financial risks to operational, compliance, and security risks. In practice, many ERMFs already capture a broad spectrum of high-impact risks such as financial volatility, foreign exchange and hedging exposures, major contract disputes, shifts in market demand, regulatory reform, and reputational damage from adverse events. These exist alongside operational continuity concerns, such as critical equipment failures or industrial action, and significant security-related risks like cyber incidents, workforce shortages in critical roles, supply chain disruption, and large-scale physical incidents.
Integrating SOCI-related security risks into this framework ensures that they are prioritised alongside other risks competing for Board attention and resources. It also allows security risks to be evaluated through the same organisational lenses of likelihood, consequence, and risk appetite, making governance conversations more coherent and action oriented.
The Risk Visibility Gap
A persistent challenge in CIRMP implementation is the disconnect between operational security knowledge and enterprise-level risk oversight. Frontline physical, personnel security, ICT, and operational teams often have a detailed understanding of hazards and vulnerabilities in their domain. However, if these risks are not escalated into the ERMF, they remain invisible to executives and the Board. This can lead to misaligned priorities, under-resourced controls, and, in some cases, gaps in compliance reporting.
Consider the difference between how cyber security risk might be recorded at two levels. At the enterprise level, the risk may be described broadly: “loss of confidentiality, integrity, or availability of corporate IT systems.” Under the CIRMP, the definition is more focused: “cyber security incidents that could cause a material disruption to the operation of a critical infrastructure asset.” Both are legitimate, but the latter speaks directly to regulatory obligations and critical asset resilience. If only one version is recorded, and it is the enterprise-level generalisation, the Board may not be fully aware of SOCI-specific exposures.
Plan–Do–Check–Act: Building Continuous Improvement into CIRMP
Embedding CIRMP obligations into an ERMF is not a one-time alignment task; it requires continuous improvement, best achieved through the Plan-Do-Check-Act (PDCA) cycle. This well-established management method provides a disciplined approach to implementation and ensures that security risk management remains dynamic and relevant:
- Plan: Identify hazards, assess risks, determine treatment measures, and align these with enterprise risk priorities.
- Do: Implement control measures, embed governance processes, and assign accountability at both operational and enterprise levels.
- Check: Monitor performance in real time, review incidents, and evaluate control effectiveness through audits, maturity assessments, and assurance activities. This stage ensures that risk owners and executives have an up-to-date picture of the organisation’s security posture.
- Act: Make informed changes to strengthen controls, adjust governance oversight, and update the CIRMP to reflect emerging threats, organisational changes, and lessons learned.
When integrated into the ERMF, PDCA enables ongoing monitoring and timely escalation of security risks so that they are reviewed and acted upon within the same cycles as other enterprise risks. This ensures that the CIRMP is not a static document updated only to meet annual SOCI reporting obligations, but a living program that evolves in step with the organisation’s operational environment and threat landscape.
Bridging the Disconnect: Practical Self-Assessment for Organisations
To close the gap between operational security risks and enterprise-level oversight, organisations can use the following questions as a practical self-assessment tool:
- Risk mapping
- Have we mapped all CIRMP hazard types – cyber and information security, personnel, supply chain, physical, and natural – against our existing enterprise risk categories?
- Do we have a clear process to ensure operational hazards identified by frontline teams are escalated into the enterprise risk register?
- Risk language and scoring
- Are our risk definitions, consequence scales, and likelihood ratings harmonised so that SOCI hazards can be compared directly with other enterprise risks?
- Have we agreed on common terminology so operational teams and executives are “speaking the same risk language”?
- Board reporting and governance
- Are CIRMP updates integrated into our standard Board and risk committee reporting cycles, rather than being presented as a separate compliance add-on?
- Does the Board receive enough detail on SOCI-related risks to understand their specific regulatory and operational implications and hence how the Board is meeting SOCI obligations?
- Integration with enterprise initiatives
- Are CIRMP treatment plans linked to, and synchronised with, broader enterprise initiatives such as technology upgrades, workforce planning, and insider threat programs?
- Do we track and report on these integrated initiatives to show their impact on both security and business resilience?
- Sustained resourcing and accountability
- Have we assigned clear ownership for each CIRMP treatment action, with accountability at both operational and executive levels?
- Do we have a budget and resource allocation process that ensures CIRMP initiatives are sustained beyond the annual review cycle?
- Have we educated the owner sufficiently to effectively manage the SOCI risks they are responsible to mitigate?
By regularly working through these questions, organisations can ensure that CIRMP obligations are fully embedded into enterprise governance, turning compliance requirements into a sustained driver of security resilience.
Practical Guidance for CIRMP Implementers
For those responsible for the day-to-day running of the CIRMP, the following practices can help ensure the program remains effective and compliant year-round:
- Rolling review calendar: Set quarterly or bi-monthly checkpoints to assess the status of hazard controls and address new risks before the annual review.
- Trigger-based updates: Build in mechanisms to review and update the CIRMP immediately following incidents, near-misses, or major operational changes.
- Operational integration: Embed CIRMP checks into procurement, project management, and maintenance processes to catch risks early.
- Link to exercises: Incorporate CIRMP threat scenarios into business continuity and disaster recovery exercises to validate preparedness.
- Security KPIs and dashboards: Use operational metrics to track performance against CIRMP objectives and highlight trends for escalation.
- Stakeholder engagement: Communicate CIRMP priorities in business terms to ensure buy-in from HR, IT, procurement, and operational leaders.
- Lessons learned feedback loop: Document post-incident findings and ensure they result in tangible updates to controls, training, or governance processes.
- Regulatory horizon scanning: Monitor for SOCI Act amendments or related regulatory changes and pre-plan for potential new obligations.
- Threat intelligence: Identify sources of threat intelligence and establish a system to receive and analyse the intelligence, applying it through the ERMF as appropriate.
Embedding these practices into routine operations ensures that the CIRMP remains a dynamic, well-governed program, capable of adapting to emerging threats, meeting regulatory expectations, and delivering tangible security and resilience outcomes year-round.
Security Maturity as an Assurance Tool
A structured security maturity assessment and evaluation provide tangible evidence of CIRMP effectiveness and is an increasingly valuable part of annual review and Board assurance. Maturity models help identify where the organisation stands relative to best practice, where it is merely compliant, and where it is falling short. The results, including visual heatmap or dashboard, can inform both the CIRMP report to the Department of Home Affairs and internal Board reporting, linking directly to the PDCA cycle’s “Check” and “Act” phases.
When maturity results are integrated into enterprise risk reporting, they become a powerful driver for prioritising investment, allocating resources, and tracking continuous improvement. They also give directors a clear view of progress over time, enhancing their confidence in the CIRMP’s robustness.
Conclusion: Integration as a Path to Resilience
The second anniversary of the CIRMP is more than a compliance checkpoint, it is an opportunity to deepen the integration between security risk management and enterprise governance. By embedding SOCI-related risks into the ERMF, applying the PDCA cycle, and maintaining a culture of continuous improvement, organisations give their Boards the visibility, assurance, and strategic insight they need to govern effectively.
The benefits extend well beyond regulatory compliance. When operational security intelligence informs enterprise decision-making, organisations are better equipped to anticipate emerging threats, allocate resources wisely, and maintain resilience in the face of disruption. In the current security climate, where critical infrastructure remains a prime target for cyber, insider, and physical security threats stemming from an array of threat actors including foreign intelligence services and organised crime, this integrated approach is not just good practice; it is essential.
