SOCI Rules — CIRMP, notification of cyber security incidents, and asset register rules
The SOCI Rules sit underneath the Security of Critical Infrastructure Act 2018 (Cth) and set the operational detail of the regime — which assets are captured, what a CIRMP must contain, and when cyber incidents must be reported. This guide sets out 10 rules-level obligations across the Application Rules, the CIRMP Rules 2023, and the incident notification rules.
Coverage
Responsible entities for assets captured by the Security of Critical Infrastructure (Application) Rules 2021 and the CIRMP Rules 2023. Scope is narrower than the Act — not every SOCI asset triggers a CIRMP or incident reporting obligation. Rules are updated regularly, so applicability must be reassessed.
Legal basis
Security of Critical Infrastructure (Application) Rules 2021; Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023; Security of Critical Infrastructure (Definitions) Rules 2021. Each set of rules is a legislative instrument made under s 61 of the SOCI Act.
The obligations
Confirm rules-level applicability before treating the asset as out of scope
The Application Rules specify thresholds (e.g. throughput, customer numbers, revenue) that determine whether a captured asset type is in scope for CIRMP or incident reporting. Rules-level applicability is assessed separately from the Act.
Address all four hazard categories in the CIRMP
The CIRMP must address cyber and information security hazards, physical security hazards, personnel hazards, and supply chain hazards. Each category must have documented controls, risk assessments, and residual risk evaluations.
Adopt a recognised cyber framework at the required maturity
The cyber hazard component must be aligned to ASD Essential Eight (Maturity Level One minimum), NIST CSF, ISO/IEC 27001, AESCSF, or an equivalent framework determined by CISC. The chosen framework and maturity level must be documented.
Review and update the CIRMP at least annually
The CIRMP must be reviewed at least annually and updated whenever a material change occurs (e.g. new asset, new material third party, material incident, or change in regulatory guidance).
Submit a board-signed annual report
The responsible entity must submit an annual report to CISC within 90 days of the end of the Australian financial year, signed by the board confirming the CIRMP was up to date and complied with.
Report critical cyber incidents within 12 hours
A cyber security incident having a significant impact on the availability of an asset must be reported to the ASD within 12 hours (orally or in writing). A written report must follow within 84 hours if the initial report was oral.
Report other reportable cyber incidents within 72 hours
Cyber incidents with a relevant impact (but not a significant impact) must be reported to the ASD within 72 hours. A written report must follow within 48 hours of an oral report.
Keep and update operational information in the Register
Operational information (e.g. ownership, location, systems) must be notified within 30 days of becoming a responsible entity and updated within 30 days of any material change. The Register is non-public.
Treat rules-level personnel hazards seriously
The CIRMP must identify personnel risks including insider threat, background checking, and offboarding. Critical workers performing critical tasks must be identified and controls calibrated to role risk.
Preserve all CIRMP and incident records for five years
Risk assessments, control evidence, incident reports, and internal review documents must be preserved for at least five years — or longer where another regime applies (e.g. privacy, financial services).
What happens if you do not comply
Civil penalties up to 1,000 penalty units (body corporate) per contravention. Continuing contraventions carry daily penalties. Failure to comply with an Action Direction or Intervention Request attracts higher penalties and potential criminal offences.
Reporting requirements
12-hour and 72-hour cyber incident reports to ASD. Annual board-signed CIRMP report to CISC. Register updates within 30 days. System of National Significance entities have additional statutory exercise and vulnerability reporting obligations.
What firms should do today
- Run an annual rules-applicability check — rules thresholds change without Act-level amendment
- Build a control-to-framework mapping so the annual CIRMP report is evidence-ready
- Pre-position ASD contact paths and incident templates so 12-hour reporting is achievable
- Identify critical workers and apply role-based personnel controls
- Track material changes (new vendor, new system) and trigger a CIRMP refresh
- Align incident definitions so operational teams know when a 12-hour versus 72-hour clock starts
Compliance with Quillio
Quillio drafts CIRMP documentation, board reports, and 12-hour / 72-hour incident notification templates aligned to the current SOCI Rules. Australian-hosted infrastructure means critical-infrastructure data stays in jurisdiction. See /practice-areas/commercial-lawyers or start a free trial.
This guide is general information about the SOCI Rules — not legal or compliance advice. Rules are amended regularly and applicability is asset-specific. Obtain specialist advice before concluding that an asset is out of scope or that a framework mapping is complete.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no credit card.
Start your free trial