Understanding the SOCI Audit Program: Key Insights, Compliance Activities, and CIRMP Annual Report Analysis

We invite you to either listen to the article or read the below. 

On 28 November 2024, the Cyber and Infrastructure Security Centre (CISC), within the Department of Home Affairs (DHA), shared key updates on upcoming audit activities aimed at ensuring compliance with the Security of Critical Infrastructure Act 2018 (SOCI Act).

The compliance landscape for the security of critical infrastructure in Australia has evolved significantly since the introduction of the SOCI Act in 2018.  With obligations progressively commencing in 2021, 2022 and 2024, DHA has developed a structured compliance regime to enhance the resilience of critical infrastructure assets.  For further details, review the CISC Compliance and Enforcement Strategy.

From initial education and awareness programs to the implementation of trial audits and a formal audit program, the journey reflects a systematic approach to fostering a culture of compliance with the law.  The focus has been on enabling critical infrastructure entities to determine if they have SOCI Act obligations and assisting regulated entities while identifying and addressing gaps in adherence to the SOCI Act and its associated rules.

SOCI Compliance – Trial Audits

The compliance journey began with a series of trial audits conducted by CISC up until October 2024.  These audits aimed to assess entities’ understanding of their SOCI obligations and refine DHA’s audit framework.

Stage 1: Initial Trial Audits

Ten desktop audits were conducted across various critical infrastructure asset classes.  These audits tested the framework for key obligations, such as the asset register and mandatory reporting of cyber incidents.  Key findings included:

• Asset Register Obligations: Many entities lacked processes to regularly update information, impacting the national picture of critical infrastructure interdependencies.
• Cyber Incident Reporting: Some entities struggled to meet the 12-hour and 72-hour timeframes for reporting significant and relevant cyber security incidents, respectively.
• Critical Worker Identification: Several entities lacked robust processes to identify critical workers essential for critical infrastructure functionality.
• Third-Party Data Storage Notification: Entities were not informing third-party providers when they stored or processed business-critical data on behalf of a critical infrastructure asset (s12F(3) of the SOCI Act). This requirement has been in effect since December 2021.

Overall, the trial audits revealed that 70% of the ten audited entities were fully or mostly compliant with the SOCI obligations.

Stage 2: Critical Infrastructure Risk Management Program Audits

A subsequent set of eight audits focused on the Critical Infrastructure Risk Management Program (CIRMP) obligations. These audits assessed the adequacy of CIRMPs, particularly in identifying and mitigating material risks. Notable insights included:

• Cyber and Information Security Risks: Entities demonstrated high levels of investment and understanding in this area.
• Natural Hazards and Supply Chain Risks: These risks were generally well-managed, though supply chain complexity posed challenges.
• Insider Threat and Physical Security: These areas are underdeveloped and require enhanced frameworks and clearer guidance.

Formal Audit Program

Starting in December 2024, CISC commenced its formal audit program, marking a new phase in the SOCI compliance regime.  Auditees are selected based on sector and asset class to ensure a representative understanding of compliance across Australia’s critical infrastructure, and will be progressively contacted.

Key features:

• Desktop audits: Most audits are conducted virtually to minimise disruption and cost.
• Findings and recommendations: Auditees receive detailed reports with suggested corrective actions and agreed timeframes.
• Regulatory posture: Enforcement actions are reserved for serious or egregious non-compliance, such as deliberate misconduct or providing false or misleading information (e.g., falsely claiming Board approval of CIRMPs).

The audit process prioritises collaboration, with regulators providing feedback to help entities enhance compliance.

CIRMP Annual Review

The first CIRMP annual reporting period (2023-24) revealed important trends:

• Submissions: 457 annual reports were submitted, covering 831 critical infrastructure entities.
• Significant impacts: 32 significant impacts were reported, with natural hazards, cyber incidents, and supply chain disruptions as the main causes.
• Framework adoption: Entities predominantly used established cybersecurity frameworks, including AESCSF (231 entities), Essential 8 (84 entities), ISO 27001 (56 entities), and NIST (26 entities).  Stakeholders called for clearer guidance on frameworks for physical security, personnel security, and supply chain risks.
• Compliance deadline: The CIRMP annual report submission deadline is 28 September.  Late submissions are considered non-compliant.

Lessons Learned

The compliance journey has provided valuable insights for critical infrastructure owners and operators:

1. External validation as Gold Standard: DHA’s Deputy Secretary of the Cyber and Infrastructure Security Group, Hamish Hansford, observed varying levels of assurance regarding evidence submitted for compliance.  Entities with externally validated CIRMPs consistently demonstrated higher levels of confidence and effectiveness.  External validation, widely regarded by CISC as the gold standard, provides a more comprehensive assessment than internal reviews, instilling greater confidence in compliance measures for both CISC and the SOCI entity.
2. Guidance and Standards: CISC recognised the need for more prescriptive guidance on standards and frameworks for non-cyber hazards such as physical security, personnel security, and supply chain security. CISC highlighted the importance of co-designing applicable standards through the Trusted Information Sharing Network (TISN) to ensure flexibility and suitability across sectors.
3. Collaboration and engagement: Constructive feedback during trial audits emphasised the value of continuous dialogue between regulators and entities to refine compliance approaches.
4. Focus areas for improvement:
   • Strengthening processes for asset register updates and cyber incident reporting.
   • Enhancing insider threat management and personnel security practices.
   • Addressing cost challenges associated with implementing physical security measures.

Conclusion

The SOCI compliance regime represents a significant step toward safeguarding Australia’s critical infrastructure.  Through a robust audit program, a focus on external validation, and collaborative engagement, CISC is fostering a culture of compliance and resilience.

For critical infrastructure entities, the path forward involves a thorough understanding of obligations, adopting robust frameworks, and prioritising external validation.

Pentagram Advisory strongly encourages all responsible entities to review their compliance with the SOCI Act, update their CIRMP as required, and take proactive steps to meet these obligations.  As the compliance landscape continues to evolve, we remain dedicated to helping organisations navigate these complexities, achieve compliance with the SOCI Act, enable secure critical infrastructure operations, and provide external validation to enhance confidence in meeting SOCI Act requirements.

Also, our eLearning Hub offers a comprehensive education program on the SOCI Act, designed to enhance employee understanding of SOCI provisions, improve risk management, strengthen incident response, and foster collaboration. The eLearning Hub equips employees, executives, and third parties—particularly the most exposed employees (critical workers)—to effectively meet obligations under the SOCI Act.

If you have any questions or need tailored advice, please reach out to us at [email protected].