Employees in organisations hold varying levels of responsibility and trust, with some having direct access to critical assets, systems, protected information, decision-making process, and key operational functions.
Being a critical worker is both a privilege and a responsibility – those entrusted with access to critical assets play an important role in maintaining the security and continuity of essential services. However, this responsibility is not one-sided; organisations that grant this trust also carry the duty to ensure the suitability, integrity, and accountability of those people in critical positions.
Ensuring the suitability, security, and resilience of critical workers is essential for critical infrastructure entities. The Security of Critical Infrastructure Act 2018 (SOCI Act) and the Security of Critical Infrastructure (Critical infrastructure risk management program (CIRMP)) Rules 2023 provide a framework for identifying and managing critical workers, mitigating insider threats, and securing access to critical assets.
This article outlines best practices for identifying critical workers, workforce screening, ongoing suitability monitoring, and implementing a robust Critical Worker Identification and Management Framework.
In an era of increasing security risks, safeguarding the integrity of the people in critical positions is not just a regulatory obligation with alignment to workplace health and safety, but a fundamental necessity to protect national security, operational resilience, and public trust. This requires embedding a strong security culture, where both organisations and individuals understand their shared responsibility in protecting critical assets.
Understanding the role of critical workers
Critical workers are appointed to positions of trust and care, meaning their roles are integral to the secure and effective operation of critical infrastructure entities.
Section 5 of the SOCI Act defines a critical worker as an individual whose absence or compromise would prevent the proper function of a critical asset or cause significant damage. This includes employees, interns, contractors, and subcontractors who have access to or control over critical components of an asset. Given the high-risk nature of these roles, organisations must establish rigorous processes to identify and manage these individuals effectively.
Beyond internal employees, critical workers may also be contractors or employees of major suppliers who have direct access to critical infrastructure assets. These external personnel must be managed within the broader third-party risk management framework, incorporating contractual obligations, education and training, reporting mechanisms, and audit processes. Failing to account for the security risks associated with third-party workers could expose organisations to vulnerabilities that threaten operational continuity.
How to identify critical workers
Identifying critical workers is not just about job titles; it requires a structured, ongoing assessment of role-based risks, operational impact, and security requirements.
Organisations should adopt a comprehensive approach that includes regular reviews, continuous monitoring, and contingency planning for organisational changes, leave cover, and emergency situations (e.g., cyber attack). The business management system should, where appropriate, integrate critical worker identification and risk management to ensure alignment with broader enterprise-level security, compliance, and workforce planning processes.
To determine which positions qualify as critical, entities should follow a four-step approach:
1. Assess operational impact: senior leaders must identify roles whose absence or compromise could disrupt operations or cause significant harm to critical infrastructure. This includes personnel whose decisions directly affect security, resilience, and regulatory compliance. Organisations must establish contingency plans to manage temporary absences due to leave, secondment, or role transitions, ensuring operational continuity and preventing security vulnerabilities.
2. Evaluate access to critical assets: organisations must assess which employees, contractors, or third-party personnel have access to critical components such as systems, networks, facilities, business-critical data or sensitive information. It is equally important to consider indirect influence – those with decision-making authority over critical operations. Access privileges should be regularly reviewed and updated to ensure they remain aligned with evolving organisational and security requirements.
3. Define risk-based categories for workforce screening: not all roles require the same level of scrutiny, so a tiered approach should be adopted based on trust, access, and risk exposure. High-risk roles may necessitate enhanced background checks, continuous monitoring, conditions, or specific checks (e.g., psychometric testing). Clear thresholds for escalation should be defined to ensure that critical workers are periodically reassessed, reducing the risk of insider threats. All of these conditions must be agreed upon with the individual as a requirement of their employment.
4. Integrate with business and security management systems: identifying and managing critical workers should not be a standalone process but embedded into corporate governance, workforce planning, and business continuity frameworks. Where appropriate, technology-driven monitoring solutions – such as identity and access management systems, insider threat detection tools, and workforce analytics – should be leveraged to support proactive security measures. Organisations should also develop reporting mechanisms to track personnel movements, detect potential security risks, and escalate concerns in a timely manner.
By integrating these principles into workforce security planning, organisations can systematically identify critical workers, implement robust risk management measures, and maintain operational resilience while ensuring compliance with regulatory frameworks.
Screening of critical workers
The level of screening conducted on a candidate should be proportionate to the level of risk posed by their role to organisational objectives, operational processes, and business impact. The screening process should be designed to mitigate potential threats, such as unauthorised access to sensitive information, insider threats, and security breaches.
Pre-employment screening should include identity verification, qualifications checks, and a thorough assessment of employment history. Additional background checks may be required depending on the sensitivity of the role, such as criminal history check, financial integrity assessments, open-source intelligence (OSINT) check and psychometric testing to evaluate integrity and trustworthiness.
Beyond the initial hiring stage, organisations must implement ongoing suitability assessments to ensure that individuals remain fit for their roles. Behavioural analysis, periodic re-screening, and anomaly detection in access patterns and behaviour should be integrated into an organisation’s personnel security framework. The offboarding process is equally critical, requiring stringent controls to revoke access immediately and prevent potential security risks from departing employees or contractors, ensuring they have been given clear written advice about safeguarding information they carry about their former employment.
Critical Worker Identification and Management Framework
A structured Critical Worker Identification and Management Framework should be embedded within an organisation’s governance model to ensure compliance with regulatory obligations and enhance overall security.
This framework must detail the process for identifying high-risk positions that require additional screening, the accountability measures in place for personnel security, and defined escalation procedures for managing insider threats. Ensuring clear documentation and external validation mechanisms will help organisations demonstrate compliance with the CIRMP Rules and other relevant security standards.
A Register of Critical Workers should be maintained, documenting positions that require enhanced background checking and workforce screening. However, a position-based approach is often more effective than tracking individuals. By focusing on critical positions, organisations can ensure that security and risk management measures apply consistently, regardless of personnel changes.
This structured approach enables better recruitment, onboarding, training, and ongoing assessment processes, ensuring that those who fill critical roles meet the necessary security and trustworthiness standards.
For a successful rollout of a Critical Worker Identification and Management Framework, four key principles must be prioritised:
- Transparency in communication: open and clear communication is essential to gaining stakeholder buy-in. Employees, contractors, and leadership must understand why workforce screening is necessary, how it affects them, and what safeguards are in place to ensure fairness.
- Privacy and confidentiality: organisations must adhere to strict privacy policies when conducting workforce screening. Informed consent must be obtained, but it should be recognised that consent is not enduring. Security measures must balance risk mitigation with the ethical treatment of personal data.
- Organisational probity: fairness, impartiality, and transparency should underpin all workforce screening and assessment processes. Those involved in screening should be vetted to the highest level, operate with integrity, provide clear notice of procedures, and ensure employees have appropriate avenues for review or appeal.
- Risk management as a core principle: workforce screening must be deeply integrated into an organisation’s overall risk management strategy. Security vetting should align with broader enterprise risk management frameworks to ensure consistency, mitigate insider threats, and prevent misuse of privileged access.
By embedding these principles into corporate governance, organisations can proactively manage personnel security risks, strengthen regulatory compliance, and enhance the overall resilience of critical infrastructure operations.
Conclusion
The identification and management of critical workers is not simply an HR function but a strategic imperative inenterprise risk management. Personnel security risks, including insider threats, can have far-reaching consequences – disrupting operations, exposing organisations to regulatory breaches, and damaging corporate reputation. Failure to proactively manage these risks can lead to non-compliance with the SOCI Act, financial and legal ramifications, reputational harm, and even national security implications.
A proactive, structured approach to critical worker identification and management is essential to safeguarding Australia’s critical infrastructure. Aligning personnel security strategies with the SOCI Act and the CIRMP Rules enables organisations to mitigate risks before they materialise – protecting critical assets from insider threats, unauthorised access, and security vulnerabilities.
By embedding a robust Critical Worker Identification and Management Framework into business operations, security management systems, and governance frameworks, organisations can enhance resilience, maintain operational integrity, and meet regulatory obligations with confidence.
For organisations seeking expert guidance in developing a robust Critical Worker Identification and Management Framework, Pentagram Advisory provides specialised support in workforce security, personnel risk management, insider threat mitigation (including in supply chain) and SOCI compliance strategies. Get in touch with our team to explore tailored solutions that enhance the security and resilience of your critical infrastructure assets.