Regulatory Notice: The SOCI Act requires Boards to attest to the effectiveness of their CIRMP. Relying solely on internal IT dashboards is no longer a defensible position.
SOCI Compliance —
Minimise Scope. Protect the Board.
The Security of Critical Infrastructure (SOCI) Act mandates that responsible entities establish, maintain, and comply with a Critical Infrastructure Risk Management Program (CIRMP). Crucially, the Board must attest annually that this program is both in place and effective.
But before you build a CIRMP, you must ruthlessly define your boundaries. If you fail to legally ring-fence your critical assets, you end up securing a warehouse or a logistics fleet with bank-grade security—at massive capital expense.
SOCI compliance fails when governance is treated as an IT task rather than a Board mandate.
Annual Report Risk
The “Watermelon” Scenario
Attesting to effectiveness without independent validation creates a scenario where dashboards report green to the board, but critical capability gaps lie hidden underneath.
Over-Scoping Liability
The Boundary Failure
Failing to legally ring-fence your critical assets means securing non-critical infrastructure (like warehouses and logistics fleets) at extreme, unnecessary cost. Scope minimization is step one.
Incident Notification
The 12 & 72-Hour Statutory Clocks
SOCI mandates 12-hour and 72-hour reporting windows for critical incidents. Most mid-market organisations completely lack the rapid escalation protocols required to meet these tight statutory deadlines.
Stale CIRMPs
Static Document Liability
Many Risk Management Programs are treated as static documents written once for an auditor. The Act explicitly requires them to be “maintained”—dynamically reflecting real-time changes in your threat landscape.
The Director’s Dilemma
“We can successfully minimise your scope—the warehouse and the logistics fleet are out. But the processing floor and the cold chain control systems are in. And right now, those assets have no governance documentation, no incident response plan, and no board attestation. Under the SOCI Act, your directors are personally exposed.”
A Structured Approach to SOCI Governance.
From rapid maturity diagnostics to complete governance frameworks.
Scope & Boundaries Site Visit
A full-day on-site visit to legally minimize your regulatory scope. We define exactly which assets qualify as “critical infrastructure” under the Act and which do not.
- ✓ Scope boundary map
- ✓ Preliminary CIRMP asset register
- ✓ Defensible exclusion documentation
CIRMP Development & Governance
Full development of the Critical Infrastructure Risk Management Program. We build the governance infrastructure required to protect the assets we couldn’t scope out.
- ✓ Board-approved written CIRMP
- ✓ Incident reporting procedure (12/72hr)
- ✓ Board attestation framework
- ✓ Vendor briefing pack for OT specialists
Compliance Officer as a Service
I handle the annual government reporting and the mandatory board attestation so your directors don’t risk personal fines or regulatory enforcement.
- ✓ Annual CIRMP review & maintenance
- ✓ Incident reporting support
- ✓ Board briefing preparation
- ✓ Regulatory change monitoring
Access the SOCI Criticality Scorecard
Find out in 5 minutes whether the SOCI Act applies to your business, and what that means for your board personally. A clean, 5-question PDF with traffic-light output designed for the CEO to forward directly to the Board.
Scorecard Unlocked.
A copy is in your inbox. Download it directly below to evaluate your SOCI scope and director liability.
Download PDF ScorecardBook a SOCI Scoping Briefing
Dean Kastelic
Former Enterprise CISO
Dean works with organisations across Australia’s 11 critical sectors to ensure SOCI compliance is a governance asset, not a liability. He bridges the gap between technical risk management and Board-level attestation.
“Book 15 minutes to discuss your current CIRMP status and identify potential attestation gaps. Completely confidential. No obligation.”