4C Strategies>News>What is CIRMP Critical Infrastructure Risk Management Program and what do you need to do to be compliant?

What is CIRMP, Critical Infrastructure Risk Management Program?

With the deadline looming for CIRMP compliance we take a deeper dive into the Australian regulation, and look at who needs to comply, what needs to be in place by 18 August 2023, and how digital tools can help.

Less than six months to be CIRMP compliant?

On Feb 17th The Australian Cyber and Infrastructure Security Centre (CISC) declared that the Critical Infrastructure Risk Management Program (CIRMP) had taken effect and that organizations impacted by it must take the necessary steps to meet and retain the program by August 18, 2023.

As a part of the program, organizations must have documented proof of the controls in place and the plan for mitigating material risks pertaining to critical infrastructure assets. Due to the complexity of selecting and implementing an appropriate cyber security framework at an enterprise level, entities have a further 12 months to meet the CIRMP cyber security framework requirements.

Discover what’s possible with Exonaut
Streamline CIRMP compliance and build resilience capabilities

Read More

Who is impacted by CIRMP?

Many–but not all–of the country’s critical assets providers will be impacted by the program and will therefore have to be compliant by August 18th. The relevant sectors are:

List Box Title
  • Broadcasting
  • Domain name systems
  • Data storage or processing
  • Electricity
  • Energy market operators
  • Gas
  • Liquid fuels
List Box Title
  • Payment systems
  • Food and groceries
  • Hospitals (designated)
  • Freight infrastructure
  • Freight services
  • Water

What must CIRMP-compliant entities do?

Requirements can be broken down into four steps in a continuous cycle of improvement that must be performed as part of the program:

Step 1

Identify every hazard with a material risk that, should that risk occur, could have a relevant impact on the critical infrastructure asset

Step 2

As far as is reasonably practicable, minimize or eliminate the material risk of the hazard(s) occurring

Step 3

As far as is reasonably practicable, mitigate the relevant impact of such a hazard on the asset

Step 4

Comply and align with other requirements set out in the CIRMP Rules

See Exonaut Resilience in action

4C Strategies provides government, corporate and military clients with a broad range of digital solutions designed to enable capability development, meet compliance, manage training and exercises, and enhance resilience across the organization. Book a free, live demo or meet with one of our expert consultants to discuss your requirements.

Book a demo

What is a material risk?

  • check
    A stoppage or major slowdown of an asset’s function for an unmanageable period.
  • check
    A substantive loss of access to, or deliberate or accidental manipulation of a critical component of an asset.
  • check
    An interference with an asset’s operational technology or information communication technology essential to the functioning of an asset.
  • check
    The storage, transmission or processing of sensitive operational information outside of Australia, including layout diagrams, schematics, geospatial information, configuration information, operational constraints or tolerances information, and confidential information about an asset.
  • check
    Remote access to operational control or operational monitoring systems of the asset.

These are the material risks as defined in the Critical Infrastructure Risk Management Program, but the list is not exhaustive.

Categorizing critical infrastructure hazards

Critical infrastructure hazards can be categorized into five vectors that are relevant to organizations. The five hazard categories are:

1. General

All hazards are the general processes or systems that must be established and maintained as a part of CIRMP, such as identifying operational context and material risk mitigation plans, as well as the review and management of hazards, assets and their interdependencies.

2. Cyber and information security hazards

This category refers to the establishment and maintenance of processes and systems that minimize any material risk of a cyber and information security hazard occurring or impacting an asset. Within this category, organizations must comply with an appropriate Cyber Security Framework, as outlined in the CIRMP program rules.

3. Personnel hazards

This relates to critical workers / contractors and their access rights to sensitive information. This includes everything from conducting proper background checks to fulfilling thorough and complete off-boarding of employees / contractors to limit the risk of internally-driven disruptions and negligence.

4. Supply chain hazards

Focused on the risk of disruption to critical supply chains, this covers everything from over reliance on suppliers to supply chain interference and exploitation as well as misuse of privileged access and distribution of IP.

5. Physical security hazards and natural hazards

Including anything from unauthorized physical access to critical components / facilities to natural disasters, whereby the risk of these happening and the impact that they can cause should be minimized where possible.

Streamlining CIRMP with a dedicated digital tool

Using a dedicated digital tool for a Critical Infrastructure Risk Management Program enables you to log, categorize, manage, and report critical infrastructure assets, hazards, material risks, and their dependencies. In Exonaut, you can get an up-to-date overview of the current situation or drill down to specific entries.

Risk mitigation and incident recovery plans can be linked to specific hazards and risks. Any actions taken to minimize or mitigate risks can be logged for review. Intuitive, time-stamped reports can be autogenerated at any time, and shared with stakeholders and auditors as part of the compliance process.

Collecting all your data in one, secure system ensures full version control and transparency – something that is typically a problem when using spreadsheets and other make-do systems for reporting. Exonaut’s strict access controls also ensure only the right people can access sensitive data.

A platform approach to resilience

Additional options in Exonaut include training and exercise management, which is ideal for organizations who identify capability gaps as a part of their Critical Infrastructure Risk Management Program, and wish to close them through effective training.

For organizations that wish to connect Risk Management, Incident and Crisis Management or other elements of their organizational resilience program to CIRMP, Exonaut Resilience offers a full suite of products for planning, preparation, prevention, response, and recovery in and integrated platform. This is the industry-leading platform for ensuring you are fully equipped to handle the threats, uncertainties and disruptions that lie ahead.

Message sent

Thank you
Your message has been received. We will get back to you as soon as possible.

Thank you!

You are now registered.

Download pack

Photo credits


Choose size
  • Original image
  • Large image (2900px)
  • Medium image (1920px)
  • Small image (1024px)

Get in touch

Book a demo

I agree to be contacted for the purpose indicated above, and to receive information about 4C Strategies’ products, services and events. To learn more about how 4C Strategies process data, please read our privacy statement.

Get in touch

I agree to be contacted for the purpose indicated above, and to receive information about 4C Strategies’ products, services and events. To learn more about how 4C Strategies process data, please read our privacy statement.