Table of Contents
How to Stay Compliant With the Now-Enforceable SOCI Act
The Security of Critical Infrastructure Act (SOCI), introduced by the Australian federal government in 2018, outlines the obligations for any organisation involved in critical infrastructure. With the grace period for the Critical Infrastructure Risk Management Program (CIRMP) ending on 17 August 2024, your organisation may now be required to comply with this enforceable regulation.
What Is the SOCI Act?
The SOCI Act provides a framework for managing risks related to critical infrastructure assets. If you own, operate, or are involved in critical infrastructure, this could impact you.
Are You Affected?
If your organisation handles any of the following critical infrastructure assets, you’re required to implement and maintain a written CIRMP:
- Broadcasting
- Domain Name Systems
- Data storage or processing
- Electricity
- Energy market operator
- Gas
- Liquid fuels
- Financial market infrastructure (Payment Systems only)
- Food and grocery
- Hospitals
- Freight infrastructure
- Freight Services
- Water
Your Regulatory Obligations
To stay compliant, you must:
Identify hazards that pose material risks to your critical infrastructure assets.
- Minimise or eliminate these risks.
- Mitigate the impact of such hazards.
In addition, your organisation is required to submit an annual report on your CIRMP. The first board-approved report must be submitted by 28 September 2024. If your organisation has a governing body, it must approve the report before submission.
Are You in an Impacted Sector?
Beyond critical infrastructure, the SOCI Act also affects organisations in various sectors. You must ensure compliance if you operate within:
- Communications
- Financial services and markets
- Data storage or processing
- Defence industry
- Higher education and research
- Energy
- Food and grocery
- Health care and medical
- Space technology
- Transport
- Water and sewerage
If your organisation is in one of these sectors, you're required to report cyber incidents, maintain a written risk management program, and register with the Federal Register of Legislation.
Resources for Compliance
- Federal Register of Legislation: Security of Critical Infrastructure Act 2018
- Australian Government Department of Home Affairs: SOCI Act Resources
- Australian Signals Directorate: Essential Eight Maturity Model
Beyond SOCI: Strengthening Your Cybersecurity
Even if SOCI doesn't directly apply to you, building a risk management program is a smart move. Identifying and mitigating risks is key to a resilient cybersecurity strategy.
ThreatLocker helps organisations stay SOCI-compliant by offering a free Software Health Report. This report reveals what’s running in your environment and helps mitigate risks like shadow IT, foreign software, and unpatched vulnerabilities.
As a Zero Trust endpoint protection platform, ThreatLocker secures your environment with application allowlisting, ringfencing, endpoint privilege management, network controls, and data storage protection. ThreatLocker also supports compliance with frameworks like Essential Eight, Cyber Essentials, HIPAA, and NIST.
To learn more about how ThreatLocker can fortify your defences, book a demo or sign up for a free trial today.