The challenge of identifying critical workers
Across Australia’s critical infrastructure sectors, one of the most persistent challenges in implementing the Security of Critical Infrastructure Act 2018 (SOCI) and its subordinate Rules has been identifying and managing critical workers – those individuals whose absence, compromise, or misconduct could disrupt essential services or cause significant harm to the operations of a critical asset. The obligation to identify and manage critical workers, in the context of security, sits at the intersection of compliance and operational resilience, a space where clarity is often lacking.
From Pentagram’s engagements with critical infrastructure entities, and as reinforced by the Department of Home Affairs public advice about audits and analysis of the Critical Infrastructure Risk Management Program (CIRMP) annual reports, it is evident that identification of critical workers remains an area of uncertainty and inconsistency. Many entities acknowledge the obligation, yet few have established a robust, repeatable process for fulfilling it. Critical worker identification and management form part of the personnel security hazard under the SOCI framework.
Several factors contribute to the challenge of identifying and managing critical workers:
- Lack of clear guidance – While the SOCI Act, the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 (CIRMP Rules), and for telecommunications entities, the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (TSRMP Rules), mandate the identification and management of critical workers, they offer limited practical direction on how to do so.
- Fragmented ownership – Responsibility for identifying critical workers is often divided between HR, IT/OT, Security, and Operations, with no single function accountable for governance or assurance. This fragmentation leads to duplicated lists, inconsistent criteria, and gaps that undermine compliance and risk visibility.
- Over-inclusion and under-inclusion – Some organisations err on the side of caution, classifying too many roles as critical. This over-inclusion consumes resources, dilutes focus, and creates compliance fatigue. Others take the opposite approach, overlooking roles that hold indirect yet significant influence — for instance, HR, legal, or procurement staff with access to sensitive data or supplier contracts. Both extremes carry risk: the first wastes resources; the second leaves vulnerabilities unaddressed.
- Evolving workforce models – The modern workforce includes contractors, managed service providers, and joint venture partners who may hold privileged access to critical systems. Often, the people with access are not known to the responsible entity. Many entities struggle to extend consistent assurance measures across these external relationships, despite regulatory expectations that responsibility cannot be outsourced.
- Resource and capability constraints – Conducting proportionate screening, maintaining a Critical Worker Register, and ensuring ongoing suitability require time, expertise, and technology integration that smaller entities may not yet have in place.
- Static compliance mindset – Some organisations treat critical worker identification as a one-off task to satisfy audit requirements rather than as a dynamic, living process linked to ongoing risk management, asset mapping, and operational change.
These challenges are not isolated or sector-specific, they reflect a broader maturity gap in how personnel security risk is integrated into enterprise security risk management. The result is a patchwork of approaches: some entities adopting over-engineered frameworks that stifle agility, others applying minimal controls that expose them to regulatory and operational risk.
To address this challenge, Pentagram Advisory has developed the seven-step Critical Worker Identification and Risk Management Framework — a structured, practical, and regulator-aligned approach designed to help entities identify, assess, and manage critical workers with confidence and proportionality.
Understanding who is a critical worker
It is worth returning to the legislative foundation, to see precisely how the law defines a critical worker. Under section 5 of the SOCI Act, a critical worker is an individual who meets three cumulative conditions.
First, the person must be directly engaged by the responsible entity — whether as an employee, intern, contractor, or subcontractor of the organisation that owns or operates the critical infrastructure asset.
Second, their absence, compromise, or negligent or malicious actions must have the potential to either prevent the proper functioning of the asset or cause significant damage to it. Importantly, this assessment is made by the responsible entity itself, based on the unique characteristics of its assets and operations.
Third, the person must have access to, or control over, a critical component of the asset. Critical components, as defined by the SOCI Act, are those parts of an asset that, if absent, damaged, or compromised, would prevent the asset from functioning properly or cause significant damage.
This definition underscores that designation is based not on a person’s job seniority, but on the function they perform. In practice, entities are identifying critical positions or functions that are then occupied by individuals who become designated as critical workers. For example, a SCADA administrator is considered critical not because of who they are, but because the position they hold provides privileged access to a vital system.
The key takeaway is that this is a functional, role-based definition. It requires organisations to look beyond job titles and ask whether this position, by its access, authority, or control, creates a material risk to the functioning of the asset. If the answer is yes, then the role, and the individual occupying it, must be managed as a critical worker under the SOCI framework. Further, any person who is a designated alternate to fill the role when the usual occupant is absent needs to also be considered as a critical worker.
Recognising who your critical workers are is only the beginning. Turning that understanding into a consistent, auditable process requires strong governance, clear ownership, defined accountability, and alignment across business functions. Without it, responsibilities blur, and assurance becomes unreliable; with it, the organisation gains control, consistency, and confidence.
Let us now move to examining the seven steps of the Critical Worker Identification and Risk Management Framework.
Step 1: Governance and ownership
Every effective framework starts with clear governance. Critical worker identification touches multiple parts of an organisation – HR, Security, IT/OT, Legal, and Operations – and without defined ownership, efforts quickly fragment. Establishing a governance structure ensures that decisions about who is deemed critical, how they are assessed, and how assurance is maintained are made consistently and transparently.
A useful tool for clarifying this accountability is a RACI matrix which outlines who is:
- Responsible for doing the work
- Accountable for approving and owning outcomes
- Consulted for their input, and
- Informed about decisions.
This simple framework helps align functions, prevents duplication, and ensures that every part of the process has a defined owner.
Strong governance turns compliance into capability. It anchors the framework at the executive level, connects it to the organisation’s broader risk management system, and ensures that workforce assurance remains a deliberate, ongoing process rather than a one-off compliance exercise.
Step 2: Mapping critical components and functions (with operational requirement)
The second step in the framework moves from governance to the practical heart of identifying critical workers: understanding what needs to be protected. It begins with the security risk assessment, which serves as the anchor for the entire process.
This assessment identifies hazards and material risks across the CIRMP’s categories: cyber and information security, personnel, supply chain, physical, and natural hazards. Each risk points to assets and systems which, if compromised, could disrupt essential functions. Without this evidence-based foundation, mapping would rest on assumptions rather than measurable risk.
Once the security risk assessment defines what is at stake, the next task is to identify critical components of the asset: the specific parts of an infrastructure whose absence, damage, or compromise would prevent the asset from operating or cause significant harm. These may be physical (like pumping stations or control rooms), cyber (such as SCADA systems), operational (dispatch centres), governance-related (Board approvals), or within the supply chain (managed service providers or vendors with privileged access).
To validate this mapping, the framework employs the Operational Requirements (OR) method, a structured process used in security planning to translate identified risks into practical security needs. By involving key stakeholders, the OR process tests whether mapped components and functions genuinely mitigate critical vulnerabilities. The outcome, as demonstrated in the table below, is a defensible, proportionate mapping that links risks, components, and roles, forming the evidence base for identifying critical workers.
Example of a Critical Worker Mapping Matrix
| Domain | Critical component / function | Example security risk | Roles / Potential critical workers |
| Assets | Pumping station (water treatment) | Physical sabotage; unauthorised access | Engineers, operators, contracted maintenance staff |
| Systems | SCADA platform | Cyber intrusion; data manipulation | OT administrators, vendor support staff |
| People | Privileged access to control room | Insider threat; negligence | Control room operators, shift supervisors |
| Governance | Board approvals for major contracts | Compromised decision-making; negligence | Board members, CFO, General Counsel |
| Supply Chain | Outsourced maintenance provider | Supplier failure; malicious insider access | Contract managers, vendor engineers |
The mapping matrix above is provided as an example only. Each responsible entity must develop its own matrix, tailored to its unique assets, systems, workforce, governance arrangements, and supply chain dependencies. The matrix should be informed by the entity’s security risk assessment and validated through the OR process.
Step 3: Applying criticality criteria
Once critical components are mapped, the next task is to determine which roles interact with them and to what degree. Applying clear, risk-based criteria ensures this process is consistent and defensible. Each role should be tested against a structured set of questions. For example: Does it have privileged access? Control decision-making authority? Influence supply-chain resilience? Exposure to sensitive systems or data?
At Pentagram Advisory, we have identified seven core criteria that typically define criticality, though organisations may also establish sector- or context-specific criteria reflecting their unique operating environment. The intent is not to impose uniformity, but to provide a clear, repeatable logic for decision-making. These criteria help distinguish genuinely critical functions from those that are merely operationally important, allowing resources and assurance measures to be focused where the consequences of failure or compromise would be most severe.
Step 4: Building the Critical Worker Register
This step translates analysis into action. The Critical Worker Register is the backbone of the framework: a single, auditable record linking each critical role to the rationale for its designation, the criteria applied, and the controls in place.
Beyond compliance, it provides leadership visibility of critical worker risk and strengthens governance by showing exactly who holds access or authority over critical components. When maintained securely and reviewed regularly, the Critical Worker Register becomes an enduring assurance tool, one that survives organisational change and demonstrates that identification, screening, and control are systematic, not circumstantial.
Step 5: Screening and assurance
Identification means little without trust. Step 5 turns governance into practice by ensuring that those in critical roles are suitable, reliable, and remain so over time. Screening is more than background checking: it is a proportionate, risk-based process aligned with the AS 4811:2022 Workforce Screening Standard.
Assurance extends beyond recruitment to include ongoing suitability assessments, event-triggered reviews, and supplier equivalence. Embedding these processes across HR, security, and procurement ensures a consistent standard of trust — one that reduces insider threat and reinforces public confidence in the integrity of essential services.
Step 6: Reviews and triggers
No framework remains effective without maintenance. Step 6 establishes the review rhythm and defines what triggers immediate updates. Annual reviews confirm compliance; event-based triggers – such as role redesigns, new systems, or supplier changes – keep the register and screening decisions accurate in real time.
Integrating these reviews into governance and change-management processes turns the framework from a document into a living control system, one that adapts as people, technologies, and risks evolve.
Step 7: Embedding assurance into business as usual
The final step is where maturity is achieved. Embedding the framework into HR, identity and access management, and procurement systems ensures that compliance is not a periodic exercise but an ongoing state of assurance. Suitability checks become part of onboarding, access controls link to the Critical Worker Register, and supplier contracts mirror internal screening obligations.
Over time, these processes reinforce one another, building a culture where managing critical workers becomes part of everyday operations – not a separate compliance project.
Conclusion: from compliance to confidence
Protecting critical infrastructure is ultimately about protecting people, those entrusted with its operation. Establishing a Critical Worker Identification and Risk Management Framework is not merely a regulatory requirement; it is a strategic investment in trust, accountability, and resilience.
The organisations that excel are those that move beyond minimum compliance toward continual assurance: where governance is clear, security risk mapping is evidence-based, and trust in critical workers is earned and maintained through education, discipline, transparency, and leadership. That is how compliance becomes confidence and how a trusted workforce becomes a nation’s strongest safeguard.
Ultimately, protecting critical infrastructure begins with leadership commitment to trust, integrity, and vigilance at every level. A structured approach to identifying and managing critical workers demonstrates a commitment to protecting the people essential to the secure operation of critical infrastructure assets.
