Risk management program now mandatory for certain critical infrastructure assets

27 February 2023

The next tranche of Australia’s new critical infrastructure regime is here. As foreshadowed in our previous article, the much anticipated Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) came into force on 17 February 2023. Entities responsible for certain critical infrastructure assets prescribed by the CIRMP Rules have until 17 August 2023 to adopt a critical infrastructure risk management program (CIRMP).

Anyone operating in the fields identified below should carefully assess whether their assets meet the definitions of criticality under the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act), if they have not already done so. If caught, and once up to date with other obligations such as registering those critical assets with the Cyber and Infrastructure Security Centre (CISC), then the entity will need to begin developing a compliant CIRMP.

A CIRMP needs to address risks associated with digital systems, personnel, supply chains and physical operations, but there are certain legally defined matters that specifically need to be addressed, including:

  • identifying ‘critical components’ of critical infrastructure assets;
  • identifying ‘critical workers’, in respect of whom the Government is making available a new AusCheck background checking service; and
  • cybersecurity protections, where the CIRMP Rules demand compliance with at least one of a small number of nominated industry standards.

Annual reporting obligations look set to ensure that there is little room for entities responsible for critical infrastructure assets to avoid their CIRMP obligations.

Assets covered by the CIRMP rules

The following critical infrastructure assets are prescribed by the CIRMP Rules:

  • critical broadcasting asset;
  • critical domain name system;
  • critical data storage or processing asset;
  • critical electricity asset;
  • critical energy market operator asset;
  • critical gas asset;
  • designated hospital1;
  • critical food and grocery asset;
  • critical freight infrastructure asset;
  • critical freight services asset;
  • critical liquid fuel asset;
  • critical financial market infrastructure asset2; and
  • critical water asset.

Each of these categories is subject to legislative criteria specifying what it means to be ‘critical’ to that sector, as discussed previously.

In addition to the categories listed above, assets that do not meet the statutory criteria for criticality, but have been declared to be a critical infrastructure asset by the Minister for Home Affairs under section 51(1) of the SoCI Act are also required to adopt a CIRMP.

Key requirements under the CIRMP rules


A CIRMP is a written program that identifies material risks, steps to minimise or eliminate material risks, and mitigation strategy covering four categories of hazards. The key requirements of CIRMP Rules in respect of each category of hazards is outlined in the table below.

HazardsKey requirements
Cyber and information security hazardsEstablish and maintain a process or system that, as far as reasonably practicable to do so, minimises any material risk of a cyber hazard occurring, and seeks to mitigate the impact should such an event occur.

As part of such process or system, the entity must comply with any of the following information security standards and conditions by 17 August 2024:

  • ISO 27001:2015;

  • Essential Eight Maturity Model – meet maturity level one;

  • Framework for Improving Critical Infrastructure Cybersecurity ;

  • Cybersecurity Capability Maturity Model – meet Maturity Indicator Level 1; and

  • The 2020-21 AESCSF Framework Core – meet Security Profile 1.
Personnel hazardsEstablish and maintain a process or system that:

  • identifies 'critical workers’ (as defined in the SoCI Act);

  • permits a critical worker to access to ‘critical components’ (as defined in the SoCI Act) of the critical infrastructure asset only where assessed suitable; and

  • as far as reasonably practicable, identifies the steps to minimise or eliminate material risks arising from malicious or negligent personnel as well as the material risks arising from off-boarding process for outgoing personnel.

CISC is encouraging entities responsible for critical infrastructure assets to use a new AusCheck background checking service being made available by the Government as part of assessing whether a critical worker is suitable to have access to critical components of its assets.
Supply chain hazardsEstablish and maintain a process or system that, as far as reasonably practicable, identifies the steps to minimise or eliminate material risks, and mitigate the relevant impact of:

  • unauthorised access, interference or exploitation of the asset’s supply chain;

  • misuse of privileged access to the asset by any provider in the supply chain;

  • disruption of asset due to supply chain issues; and

  • threats to people, assets, equipment, products, services, distribution and intellectual property within supply chains.
Physical security hazards and natural hazardsEstablish and maintain a process or system that:

  • identifies the physical critical components of the critical infrastructure asset;

  • includes an incident response plan for unauthorised access to a physical critical component;

  • identifies the control access to physical critical component;

  • tests the security arrangement for the asset that are effective and appropriate; and

  • as far as reasonably practicable, minimises or eliminates a material risk, and mitigate the relevant impact of, physical security hazard and natural hazard on the critical infrastructure asset.

A CIRMP must also:

  • establish and maintain a process or system that identifies:
    • the operational context of the critical infrastructure asset;
    • the material risks to the critical infrastructure asset; and
    • as far as reasonably practicable, the ways to minimise or eliminate the material risks and mitigate the impact of each hazard on the critical infrastructure asset;
  • describe the outcome of the process of system, the interdependencies of the critical infrastructure asset and other critical infrastructure assets;
  • identify the position within the entity that will be responsible for developing and implementing the CIRMP and reviewing the CIRMP;
  • contain:
    • the contact details of the responsible persons; and
    • a risk management methodology; and
  • describe the circumstances in which the entity will review the CIRMP.

Material risk

‘Material risk’ is not defined in the SoCI Act nor the CIRMP Rules, however, it is specified to include:

  • a stoppage or major slowdown of the function of the critical infrastructure asset for an ‘unmanageable’ period;
  • the substantive loss of access to, or deliberate or accidental manipulation of a critical component of the asset;
  • an interference with the critical infrastructure asset’s operational technology or information communication technology essential to the functioning of the asset;
  • the storage, transmission or processing of sensitive operational information outside Australia, including confidential or sensitive data about the asset; and
  • remote access to operational control or operational monitoring systems of the critical infrastructure asset.

The requirement to minimise or eliminate a material risk so far as reasonably practicable contemplates a degree of flexibility to manage those risks. It recognises the fact that entities are not expected to take steps that are excessively burdensome to minimise or eliminate a material risk.

Annual report

Entities that are required to adopt a CIRMP must also provide an annual report (in the form approved by CISC) relating to the CIRMP at the end of each financial year. The annual report must include:

  • a declaration as to whether the CIRMP was or was not up to date at the end of the financial year; and
  • if a hazard had a significant relevant impact on a critical infrastructure asset, a statement that:
    • identifies the hazard;
    • evaluates the effectiveness of the program in mitigating the significant relevant impact; and
    • outlines the variation, if the program was varied during the financial year as a result of the occurrence of the hazard.

This report must be submitted within 90 days after the end of each Australian financial year. Given the grace period, the first annual report is not due for submission until the financial year ending June 2024, which must be submitted by no later than 28 September 2024. Notwithstanding the grace period, CISC encourages entities to submit an annual report voluntarily for the financial year 2022-23.

How can HWL Ebsworth help?

HWL Ebsworth’s Privacy, Data Protection and Cyber Security team advises critical infrastructure operators regarding their obligations under the Security of Critical Infrastructure Act 2018. If you have any queries about the new risk management program rules and how this may affect your organisation, please do not hesitate contact us for further information on how we can assist you.

This article was written by Daniel Kiley, Partner and Paul Sigar, Solicitor.

1A designated hospital means a critical hospital listed in Schedule 1 of the CIRMP Rules, which names over 90 hospitals across Australia.
2The CIRMP Rules currently only covers critical financial market infrastructure assets used in connection with the operation of a payment system that is critical to the security and reliability of the financial services and markets sector.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us