SOCI Act Independent Review 2026: Key Findings, Risks & Pentagram Insights

In March 2026, the Commonwealth Government published the Independent Review of the Security of Critical Infrastructure Act 2018. The intent of the Review, conducted by Dr Jill Slay between November 2025 and January 2026, was to assess whether Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act) is achieving its intended objectives, functioning as intended, and is not producing unintended consequences.

Introduction

In this article, Pentagram Advisory Pty Ltd (Pentagram) will provide excerpts of the Review and also comment on components of the Review that Pentagram considers to be of most interest to Pentagram’s SOCI client entities and to our Community of Practice.

Pentagram’s engagement with the Review

Pentagram provided two submissions to the Review of a total of 50 submissions received.

In crafting the two submissions, Pentagram reflected on key issues identified through Pentagram’s work with SOCI entities and its Community of Practice, including:

Low self-identification and low Critical Infrastructure Risk Management Program (CIRMP) reporting rates, suggesting many entities have not recognised their obligations.
Disproportionate focus on cyber hazards, due to the clear availability of cyber standards, its established ‘place’ in entities, and the absence of comparable guidance for other hazard vectors.
Misalignment between CIRMP expectations and the protective security culture available in private sector environments, given the Protective Security Policy Framework (PSPF) origins of the CIRMP framework.
Legacy reliance on AusCheck background checking, which is not designed for contemporary insider threat risk or SOCI personnel hazard obligations.
Limited enterprise governance integration, with Boards lacking full visibility of SOCI risks.
Significant resourcing imbalance, where cyber teams are comparatively well-staffed while personnel security, supply chain security, and protective security teams are minimal or absent.
Procedural SOCI audits that validate compliance artefacts rather than the effectiveness or completeness of the CIRMP to uplift security performance and outcomes, creating a potential illusion of compliance.

This distinction between compliance and security outcome remains one of the central challenges in the current SOCI environment.

Pentagram’s submissions raised and commented on the following matters:

Lack of guidance or standards for non-cyber hazards
AusCheck has assumed a ‘default’ setting for background checking
Cyber and Information Security hazard dominates the hazard types
Gap between the Department of Home Affairs’ (Home Affairs) advice and ‘real-world’ solutions is keenly felt by SOCI entities
Governance frameworks and indicative standards are lacking
Home Affairs as advisor and regulator can deter SOCI entities from seeking its advice
Insider threat is not well understood
Insider Threat Program is not well understood
Personnel security hazard is not well understood
Supply chain hazard is not well understood
Procedural SOCI audits versus substantive CIRMP effectiveness assessments
Protective security education to critical infrastructure sector
Education as a prerequisite for effective SOCI implementation
CIRMP, Board visibility, and risk-based decision-making
Limitations of the security benefit of AusCheck.

Pentagram also met in person with Dr Slay to explain Pentagram’s position.

Pentagram advised the Review that many SOCI entities find the Critical Infrastructure Risk Management Program (CIRMP) obligation difficult to operationalise due to:

nil or limited protective security expertise
underdeveloped personnel and supply chain security practices
lack of clarity regarding proportionality of mitigation versus consequence
resourcing constraints
lack of education and training
misalignment between Australian Government’s PSPF-inspired expectations and private-sector operating environments
ability to comprehend how CIRMP ‘fits’ into existing business processes and systems spanning operations and governance.

The result of this inability to operationalise is uneven hazard uplift, with cyber programs advancing far ahead of other hazard vectors, perhaps even uplifting in a cyber silo rather than cyber enabling uplift of other hazards.

Independent Review context

The SOCI Act is a national resilience governance framework. Its fundamental purpose is to ensure that government has:

visibility on who owns and controls Australia’s critical infrastructure,
assurance as to how risk to its functionality is being managed, and
intervention options where the failure of infrastructure would have national and damaging consequences.

The SOCI Act protects physical facilities, supply chains, information technologies and communication networks. If these were destroyed, degraded or rendered unavailable for extended periods, then Australia’s social and economic wellbeing, national defence, or national security would be severely damaged.

The SOCI Act operates on a functional basis: assets are regulated because of what they enable nationally, not because of the sectoral label of the organisation that operates them.

From an operator perspective, the SOCI Act asks three fundamental questions:

who is accountable for this asset?
what are the material risks to national service delivery?
can the operator manage a serious incident without government intervention?

Independent Review Executive Summary

The Review provides an executive summary, of which an edited version is provided below.

Purpose of the Review

Assess whether Australia’s SOCI Act is achieving its intended objectives, functioning as intended, and is not producing unintended consequences.

Key Finding of the Review

The overarching conclusion is that the SOCI Act requires major legislative change to remove complexity and confusion while becoming more agile and responsive.

Strengths identified

Stakeholders consistently acknowledged that the SOCI Act has:

increased executive and board-level awareness of infrastructure vulnerabilities
established baseline governance frameworks and accountability structures
improved asset visibility and incident reporting mechanisms
created a common language for discussing critical infrastructure risks across sectors.

Critical Implementation Challenges

Stakeholder feedback revealed a need for clarity in the SOCI Act, for the removal of regulatory duplication and visible enforcement action and clearer accountability mechanisms.

Emerging Gaps

The majority of respondents believe the SOCI Act is not equipped to handle emerging threats:

Artificial Intelligence (AI) and quantum risks (such as AI-enabled attacks, offshore AI dependencies, data poisoning, quantum cryptography vulnerabilities) are not explicitly addressed
physical threat vectors including unauthorised drones and space-based service dependencies introduce unaddressed vulnerabilities
cyber-heavy focus neglects physical security, personnel security, and all-hazards supply chain resilience.

The SOCI Act is perceived as too reactive and too slow compared to evolving risks, despite multiple previous modifications.

International Comparison Insights

The United Kingdom (UK) has a holistic approach, explicitly recognising social cohesion as equally critical to national security as physical infrastructure itself. Social cohesion is identified as a ‘centre of gravity’ that, if disrupted, significantly weakens national resilience. Australia could consider adopting similar perspectives to strengthen public understanding and support for critical infrastructure protection.

Key Areas of Stakeholder Consensus

Key areas of consensus include:

expanding SOCI Act scope to include AI services, content delivery networks, hyperscale cloud providers, drones, and space assets
harmonising frameworks by aligning the SOCI Act with Australian Prudential Regulation Authority, Australian Securities and Investments Commission, International Organization for Standardization, National Institute of Standards and Technology (NIST) and other relevant regimes.
improving guidance through prescriptive, practical materials with worked examples, CIRMP templates, and plain-language guides
strengthening assurance by shifting from procedural audits to effectiveness-based reviews, with maturity-based tiering that rewards strong security posture
enhancing capability through investment in protective security education, workforce training, and structured cross-sector threat intelligence sharing
mandating bidirectional information exchange between government and operators.

Critical Cultural Observations

Most respondents deeply immersed in SOCI Act compliance lack emotional connection to defending and protecting Australia and its citizens. Exceptions came primarily from those with Defence and intelligence backgrounds. This disconnect, between compliance obligation and national security purpose, warrants departmental examination of the relationship between the protection of critical infrastructure and the role critical infrastructure plays in a cohesive society.

Pentagram Advisory Comments

The risk posed by Foreign Ownership, Control or Influence (FOCI) was of concern to a significant number of Review respondents. The risk was posed in terms of critical assets in Australia and supply chain globally.

Pentagram has published, educated, and advised on FOCI topic since mid-2024. We have clients for whom FOCI is an everyday operational risk. However, we generally find this risk has little profile and seems a bit ‘exotic’ for many to take seriously. Or people are hesitant to act for fear of jeopardising their employment.

Those who do appreciate FOCI tend to do so through the prism of supply chain. Pentagram has devised a framework for identifying SOCI Major Suppliers and approaches to identifying and minimising associated supply chain risk.

The Review notes ‘tension’ between Home Affairs’ and broader Commonwealth “helping hand” approach versus stricter enforcement given the severity of national security threats.

Pentagram raised this ‘tension’ in our submissions to the Review. We contend there needs to be a separation between Home Affairs as the regulator and its engagement with SOCI entities that require guidance for matters that fall short of mandatory reporting. Pentagram has clients that have asked us to present their issue to Home Affairs on the basis that we do not divulge their identity. They are unwilling to approach Home Affairs directly.

The Review’s recommendation for a shift toward a penalty-based risk management model, with real enforcement of penalties, is consistent with feedback Pentagram has received across the SOCI community.

It is reasonable to expect that the SOCI regime will evolve from its current advisory posture toward one where non-compliance carries material consequence. This evolution is not punitive in intent; rather, it is necessary to ensure that compliant entities are not disadvantaged and that minimum security standards are consistently applied across the market.

Pentagram anticipates that this shift will place increased emphasis on demonstrable CIRMP effectiveness, Board-level accountability, and the use of independent expertise to support assurance activities.

Self-attestation by company boards on their risk management programs remains common. Concern was expressed that the approach has not evolved significantly since 2005, with cyber reporting still largely voluntary and ad hoc.

Pentagram raised this topic in its submissions and has made this point to Home Affairs through 2025-26. We note that Home Affairs has modified the CIRMP attestation template to now include an option for external audit of the CIRMP, a change Pentagram applauds. We believe protective security risk, which is what the CIRMP seeks to treat, requires boards to have expert advice which may not be resident in their organisation.

Boards seek specialist advice on legal, financial, and personnel matters and so should treat protective security advice as a kindred specialisation. Pentagram has written articles on this matter.

The Review highlights cyber and supply chain (cyber) vulnerabilities.

Whilst Pentagram recognises the primacy of cyber risk, both directly within the critical asset IT / OT systems or through the supply chain, the Review has a significant focus on cyber risk. Given the history of the SOCI legislation, which the Review recounts, cyber has always been the primary risk vector. Pentagram, however, has always highlighted the human factors element of the cyber threat, from both insider threat and external attackers, as a fundamental yet overlooked component of cyber risk. The human factors component is similarly neglected in consideration of supply chain risk vectors.

The Review highlights water, energy, and telecommunications as most targeted sectors.

Pentagram’s experience of the SOCI community reflects this sectoral threat focus, with our clients generally nesting in the water, energy, and telecommunications sectors. Targeting of these three sectors is due to their fundamental inputs to contemporary Australian life. Pentagram notes that all sectors are downstream from electricity and so electricity assets are in some sense the most critical assets.

The Review posed the question: How effective is the SOCI Act’s framework in supporting improvement and uplift of critical infrastructure security?

The Review recorded those responses as follows:

Ineffective 3
Partially effective 20
Moderately effective 21
Effective 10
Very effective 1

The Review also put the question: To what extent has the SOCI Act improved the security and resilience of your organisation’s critical infrastructure? The responses were:

Not at all 11
Slightly 15
Moderately 27
Significantly 5
Substantially 7

These results accord with Pentagram’s experience in that SOCI entities are challenged to envisage CIRMP as an activity and a tool that both spans and can conjoin risk management across the enterprise. They cannot see CIRMP as a benefit. Meeting SOCI positive security obligations, of which a CIRMP is one, is often conceived as a compliance action and, hence, be ‘ticked off’. Indeed, the Review cites as the most common theme of responses to be: “Costs of resourcing /administrative burden: respondents most frequently raised the time, effort, staffing and funding required to comply with the SOCI Act (e.g. heavier admin load, resource strain) suggesting that, for example, reporting requirements are driving ‘increased administrative costs’.”

However, the CIRMP offers a unique set of opportunities, these being: to surface protective security as an enterprise issue, to educate the workforce and contractors about necessary security practice, to develop a security culture, and to tangibly uplift the protection of critical assets and operations by linking all parts of the enterprise (breaking down silos) for that purpose. Until this enterprise view is visible, it cannot be capitalised on. And so the perceived effectiveness of the SOCI Act framework, as shown in the response from the Review above, is low.

Pentagram believes that in light of the time (since 2018), effort by Home Affairs with the support of the Australian Signals Directorate on the primary hazard of cyber, and taxpayer funding over eight years, the level of penetration amongst SOCI entities of actual and perceived security uplift is a poor return on investment, particularly given the increasingly perilous threat context that Australia faces. Home Affairs acknowledged in early 2026 that heightened risk is driving efforts to strengthen the CIRMP.

Perhaps the root of this lack of penetration is an artefact offered by Dr Slay in the Review, in which she wrote: “A notable finding was that most respondents deeply immersed in SOCI Act compliance lack emotional connection to defending and protecting Australia and its citizens. Exceptions came primarily from those with Defence and intelligence backgrounds. This disconnect between compliance obligation and national security purpose warrants departmental examination of the relationship between the protection of critical infrastructure and the role critical infrastructure plays in a cohesive society.”

Pentagram understands that all SOCI entities are businesses – they have a budget and limited resources, with SOCI seen as another cost and regulatory burden. Most SOCI entities do not inhabit an Australian national security mindset, especially if they have foreign ownership or control. Australia has been fortunate to avoid, since 1945, any substantial or existential threats to its existence. There have been no national-level galvanising events, as might be comparable to Russia’s war against Ukraine 2014 to date and Vietnam’s experience in the Indochina war against the French 1946-54, to position true national security at the forefront of thinking for critical infrastructure entities.

Atop this absence of necessity we have social decay. Australia’s economic and social trajectory since the 1980s has been a benign security environment (to 2015 at least), trend growth in wealth, trend decline in social cohesion and the absence in teaching of factual history and civics. The teaching of civics is the education of students regarding their roles as active, informed citizens within a democratic society. It covers the study of government institutions, the rule of law, democratic processes, and rights/responsibilities, while fostering skills for civic participation, ethical decision-making, and understanding community diversity.

Australia has two generations who have been taught their focus is on their rights with the counterpoint of responsibilities left to atrophy. The concept of Australian citizenship if poorly defined and confused and, hence, is generally not valued, and not protracted, by Australian citizens and governments.

Pentagram notes that the Review, in recording the lack of national security connection people in SOCI entities expressed, cited the UK’s social cohesion approach to critical infrastructure with the Review saying: “The UK has evolved beyond purely technical infrastructure protection to explicitly recognise social cohesion as equally critical to national security as physical infrastructure itself. Social cohesion is now identified as a ‘centre of gravity’ that, if disrupted, significantly weakens national resilience.” The Review goes on to note that a major UK initiative is its Building Resilient Communities Report (2024) which identifies social cohesion as the foundation of resilience.

Pentagram supports the Review’s unstated conclusion that the Commonwealth’s argument for, and marketing of, the SOCI Act and its attendant obligations for critical infrastructure entities has not been embraced as widely and deeply as is required to attain a true and enduring security effect. People in SOCI entities – directors, managers, and practitioners – have generally not been exposed to a security culture that is usual in many Commonwealth entities. This issue of security culture brings us to a component of the Review which received little wordage, and that is ‘people’. Pentagram views ‘people’ in terms of the SOCI legislation lens of ‘personnel hazard’ and also ‘people’ as an asset which Pentagram treats in its Trusted Workforce Program.

This observation can be extended beyond national messaging into the operating environment of SOCI entities themselves. Social cohesion is not an abstract national construct; it is expressed through organisational culture, workforce behaviour, and the degree to which individuals perceive their role as contributing to a broader national purpose. Where this connection is weak, security becomes a compliance activity rather than a responsibility.

In practical terms, this manifests in limited reporting of concerning behaviours, low engagement with security processes, and a reluctance to act where the action may carry personal or professional consequence. These are precisely the conditions in which insider threat risk is elevated.

Pentagram, therefore, views the Review’s reference to social cohesion as directly relevant to the personnel hazard. Organisational security culture, workforce trust, and clarity of purpose are not peripheral considerations; they are determinants of CIRMP effectiveness. A CIRMP that does not account for human behaviour, motivation, and decision-making will remain structurally incomplete with impaired performance, regardless of its technical maturity.

Pentagram further considers that personnel risk is not confined to a single hazard vector. Rather, it is the integrating factor across all four CIRMP domains. Cyber compromise is frequently enabled by human action; supply chain risk is mediated through supplier personnel; and physical security failures often arise from human access, judgement, or error.

Treating personnel hazard as a discrete compliance requirement understates its role. In practice, people are the common pathway through which multiple threat vectors converge. Accordingly, the maturity of personnel security, including insider threat capability, is a limiting factor in overall CIRMP performance.

On people, the Review posed the question: How effective is the SOCI Act in addressing current personnel threat environments? The responses were:

Ineffective 8
Partially effective 22
Moderately effective 20
Effective 3
Very effective 0

Again, as for the two previously quoted results on the effectiveness of the SOCI Act, the vast majority of responses on personnel threat rests in the zone of ineffective to moderately effective. Again, on the surface at least, a poor return for investment over almost a decade.

The second most common theme from respondents that the Review lists is: “Clarity required in the definitions (ambiguity, vagueness, sector fit): many responses emphasised unclear definitions, broad language, and inconsistent interpretation across sectors which was making compliance harder and potentially risky in a crisis” which is a people-centric finding. It is people that require clarity and consistency and it is people that will act in a crisis.

In the Review’s Key Findings from Written Submissions (page 35 of the Review) is Theme 8 which is Education, capability and intelligence. For Theme 8 the Review states: “Capability as a bottleneck across the critical infrastructure sectors was widely expressed and it was noted that protective security education is missing. It was also suggested that mandatory, structured Cyber Threat Intelligence (CTI) sharing is needed along with benchmarking tools with AI and analytics. It was also noted that independent quality assurance is needed as well as the establishment of workforce learning pathways. High level of consensus on education, intelligence and benchmarking as critical enablers for operators. The majority favour mandatory CTI sharing.”

Pentagram finds the interweaving of educating people and CTI unhelpful as they are two distinct matters. That said, Pentagram agrees with the theme that protective security education is absent. Pentagram knows the history of the Commonwealth Attorney-General’s Department termination of Protective Security Training Centre by about 2017, just as the SOCI legislation came into being – the Commonwealth’s expectation was that the private sector would fill the void.

Whilst there have been providers that have offered certificate-based training, Pentagram believes this has been consumed by more public than private sector students and that formalised training does not address the specifics on the SOCI Act which does not harbour security practitioners and risk leaders akin to the Commonwealth public sector for which protective security is part of business as usual. The private sector is a more challenging audience with which the get traction and to educate.

Pentagram understands this protective security education deficit and has been striving to address it.

Pentagram considers protective security education not as a supporting activity, but as a prerequisite for effective SOCI implementation. Without a workforce that understands the threat environment, the intent of the legislation, and their role within it, CIRMP obligations cannot be meaningfully operationalised.

This is particularly relevant to personnel and supply chain hazards, where capability gaps are most pronounced. Education, therefore, is not simply an enabler of compliance; it is a determinant of security outcome.

From late 2024, Pentagram began offering SOCI-aligned education through no-cost workshops and articles, in-person events, and unique eLearning courses and memberships written expressly for SOCI entity needs.

We have a unique array of courses in the market. The focus of Pentagram courses is to equip the student with actionable knowledge, contextualised by the information provided in the course. A growing library of articles and podcasts provides additional information and studies of real world events to add to and embellish the learning experience and to the practitioner’s confidence. Practitioners need a strong voice and valuable advice if they are to influence the risk management and security outcomes of enterprises.

Pentagram has developed and offers, uniquely, courses on assessing the maturity of CIRMP for any SOCI entity, with a specialised maturity course for telecommunications sector CIRMP. Pentagram’s security maturity framework informs future investment in mitigation, which in turn raises maturity and will better meet future CIRMP audits.

Turning to the other component of Theme 8, CTI, Pentagram has collaborated since mid 2024 with Australia’s Critical Infrastructure – Information Sharing and Analysis Centre (CI-ISAC). Pentagram hosts a no-cost CI-ISAC course as part of our eLearning catalogue. CI-ISAC has presented at Pentagram, and Pentagram has presented at CI-ISAC events. Further, Pentagram is part of CI-ISAC’s Commonwealth grant for the establishment and operation of the Australian Health Sector Information Sharing and Analysis Centre (HCSN/ISAC). Pentagram is a supporter of CTI as provided by CI-ISAC.

On the overall topic of people, Pentagram believes the Review understates the fundamental nature of people in the SOCI domain. The fact that ‘people’ issues were lower in the order of Review respondents’ than Pentagram anticipated it would be, we assess, is due more to SOCI entities not yet identifying the fundamental and ubiquitous nature of people in all facets of CIRMP performance. Certainly Home Affairs have made public SOCI entity feedback over 2024-26 that they do not generally understand the personnel hazard. Pentagram offers eight eLearning courses addressing CIRMP personnel hazard issues.

Home Affairs’ proposed amendments to the Rules

Around the time the Review was published Home Affairs was engaging SOCI entities on proposed amendments to the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023. The proposed amendments (as of April 2026) are likely to impose moderate to high compliance and cost impacts, concentrating in cyber-physical and highly interconnected sectors. Key impacts include an increased compliance workload, including the development and maintenance of new artefacts such as personnel security plans, supply-chain maps, vendor risk assessments, and cyber uplift roadmaps. There will also be a need for capital investment in cyber controls, identity and access management, network architecture, and monitoring capabilities and some operational costs associated with supplier reassessment, logging and monitoring, background checking, training, and audit.

Home Affairs has signalled it intends to mandate AusCheck background checking for critical workers, and accept an Australian Government Security Vetting Agency (AGSVA) NV1 level clearance as an alternate. Pentagram notes that these two security checks are vastly different and, so, yield different levels of security risk mitigation. For critical workers who are not Australian citizens, have been in Australia on a visa for only a short period, or are foreign nationals living offshore Home Affairs acknowledges these checks will not be possible and so the SOCI entity will need to devise its own checks and assurance process for people in these categories. Pentagram has developed its eLearning Hub and advisory support to solve this challenge.

Taken together, the themes emerging from the Review point toward a regulatory environment that is more outcome-focused, more explicit in its expectations, and more demanding in its assurance mechanisms.

Pentagram’s experience is that entities that have adopted an integrated, all-hazards approach, with particular emphasis on personnel security, supply chain visibility, and enterprise governance, are better positioned to respond to this shift.

This includes moving beyond minimum compliance, investing in workforce capability, and embedding security risk into core business processes. These characteristics are consistent with a model that is adaptable to legislative change and resilient to evolving threat conditions.

Conclusion

The Independent Review key finding is that the SOCI Act requires major legislative change to remove complexity and confusion while becoming more agile and responsive. Pentagram agrees.

Acknowledging that the Review could analyse only the information it could study from literature and that respondents provided, the Review has some strong findings and recommendations that make sense to Pentagram and fit within the context of Home Affairs’ proposed amendments. Pentagram’s concern is that the emerging threats listed in the Review (page 7), and the threats Home Affairs has stated are driving it to strengthen CIRMP obligations in select sectors, are in play today. Government entities operate at a pace that is not commensurate with the speed and toxicity of the threats critical infrastructure faces today. Government advice is a lagging indicator.

Pentagram believes that SOCI entities have sufficient threat information to act today. The Australian Security Intelligence Organisation, since 2023, has provided clear threat advice, as have other analytical agencies and the media. But the nature of Home Affairs’ approach and engagement with SOCI entities is not driving behaviour. SOCI entities, as the Review identified, are mostly detached from the national security realities Australia faces today and into the foreseeable future, still operating in a business-as-usual compliance-driven, cost-minimisation mindset. Pentagram recognises the realities of threat today, and the vulnerable position Australian governments have allowed to be created.

Ultimately, people will make the difference. Educating people about protective security in terms of asset / threat / vulnerability / risk mitigation is key. This is the basis of mitigating the personnel hazard and maximising the security effect that people can deliver.

People are a sunk cost, and an asset, that can deliver an outsized security dividend if lead and managed with focus. To achieve that dividend, boards and managers, employees and contractors, and suppliers need to have the benefits of SOCI explained so they might see that SOCI is good for business, and is fundamental to Australia’s national security.