Understanding CIRMP Compliance in Australia
The Critical Infrastructure Risk Management Program (CIRMP) is a key requirement under the Security of Critical Infrastructure Act 2018 (SOCI Act). It mandates responsible entities to establish, maintain, and comply with a risk management program to safeguard their critical infrastructure assets from threats including cyber incidents, natural disasters, and supply chain disruptions.
The CIRMP rules came into effect on 17 February 2023, with a transition period requiring compliance by 17 August 2023. Entities must now have an operational CIRMP in place and provide an annual report to the relevant Commonwealth regulator or the Secretary, confirming compliance. .
Who Needs a Critical Infrastructure Risk Management Plan?
CIRMP applies to organisations designated as responsible entities for critical infrastructure assets under the SOCI Act. These include sectors such as healthcare, energy, financial services, transport, defence, and telecommunications. Compliance is not optional: failure to implement and maintain a CIRMP can result in regulatory penalties and increased risk exposure.
Core Components of a Critical Infrastructure Risk Management Plan (CIRMP)
A CIRMP must address four key areas:
1. Hazard Identification & Risk Assessment
- Identifying material risks of hazards that could significantly impact critical infrastructure operations.
- Considering cyber, physical, personnel, and supply chain risks.
2. Risk Mitigation Strategies
- Ensuring security controls align with best practice frameworks and industry standards.
- Ensuring security controls align with best practice frameworks and industry standards.
3. Incident Response Planning
- Establishing structured response plans for various threat scenarios.
- Defining roles and responsibilities for crisis and incident management teams..
4. Regular Review & Continuous Improvement
- Updating the CIRMP to reflect emerging threats and operational changes.
- Conducting regular training and awareness programs for staff.
See our Resilience Platform in action
4C Strategies provides government, corporate and military clients with a broad range of digital solutions designed to enable capability development, meet compliance, manage training and exercises, and enhance resilience across the organization. Book a free, live demo or meet with one of our expert consultants to discuss your requirements.
These are the material risks as defined in the Critical Infrastructure Risk Management Program, but the list is not exhaustive.
Categorizing critical infrastructure hazards
Critical infrastructure hazards can be categorized into five vectors that are relevant to organizations. The five hazard categories are:
1. General
All hazards are the general processes or systems that must be established and maintained as a part of CIRMP, such as identifying operational context and material risk mitigation plans, as well as the review and management of hazards, assets and their interdependencies.
2. Cyber and information security hazards
This category refers to the establishment and maintenance of processes and systems that minimize any material risk of a cyber and information security hazard occurring or impacting an asset. Within this category, organizations must comply with an appropriate Cyber Security Framework, as outlined in the CIRMP program rules.
3. Personnel hazards
This relates to critical workers / contractors and their access rights to sensitive information. This includes everything from conducting proper background checks to fulfilling thorough and complete off-boarding of employees / contractors to limit the risk of internally-driven disruptions and negligence.
4. Supply chain hazards
Focused on the risk of disruption to critical supply chains, this covers everything from over reliance on suppliers to supply chain interference and exploitation as well as misuse of privileged access and distribution of IP.
5. Physical security hazards and natural hazards
Including anything from unauthorized physical access to critical components / facilities to natural disasters, whereby the risk of these happening and the impact that they can cause should be minimized where possible.
Streamlining CIRMP with a dedicated digital tool
Using a dedicated digital tool for a Critical Infrastructure Risk Management Program enables you to log, categorize, manage, and report critical infrastructure assets, hazards, material risks, and their dependencies. In Exonaut, you can get an up-to-date overview of the current situation or drill down to specific entries.
Risk mitigation and incident recovery plans can be linked to specific hazards and risks. Any actions taken to minimize or mitigate risks can be logged for review. Intuitive, time-stamped reports can be autogenerated at any time, and shared with stakeholders and auditors as part of the compliance process.
Collecting all your data in one, secure system ensures full version control and transparency – something that is typically a problem when using spreadsheets and other make-do systems for reporting. Exonaut’s strict access controls also ensure only the right people can access sensitive data.
A platform approach to resilience
Additional options in Exonaut include training and exercise management, which is ideal for organizations who identify capability gaps as a part of their Critical Infrastructure Risk Management Program, and wish to close them through effective training.
For organizations that wish to connect Risk Management, Incident and Crisis Management or other elements of their organizational resilience program to CIRMP, Exonaut Resilience offers a full suite of products for planning, preparation, prevention, response, and recovery in and integrated platform. This is the industry-leading platform for ensuring you are fully equipped to handle the threats, uncertainties and disruptions that lie ahead.
