Critical Infrastructure Risk Management Program
The risk-management program that responsible entities must establish under the SOCI Act across cyber, personnel, physical and supply-chain hazards.
What CIRMP actually is.
The CIRMP Rules operationalise the SOCI Act's Risk Management Program obligation. Responsible entities must establish, maintain and review a program that identifies and mitigates material risks across four hazard vectors - cyber, personnel, physical and supply chain - and must align the cyber element with one of a permitted set of frameworks (AESCSF, Essential Eight ML1+, NIST CSF, ISO 27001 or an equivalent). Annual board-approved attestation is required.
Responsible entities for critical-infrastructure assets captured under the CIRMP Rules - including water, energy, financial services, data storage and processing, food and grocery, healthcare and transport.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Cyber hazards
Adopt and maintain a permitted cybersecurity framework - AESCSF, Essential Eight ML1+, NIST CSF, ISO 27001 or an equivalent.
-
02
Personnel hazards
Minimise the risk from insiders and contractors through vetting, access management and ongoing suitability checks.
-
03
Physical hazards
Identify and mitigate natural hazards and hostile physical acts that would disrupt the asset.
-
04
Supply chain hazards
Understand the supply chain dependencies of the asset and how those dependencies could be exploited or disrupted.
-
05
Annual attestation
Review the program annually and submit a board-approved attestation to the Department of Home Affairs.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
Critical Infrastructure Risk Management Program
cisc.gov.au/legislation-regulation-and-compliance/cirmp
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against CIRMP.
Assessment, engineering and operational services that line up with the framework's control areas.
Virtual CISO
Fractional security leadership embedded with your executive team.
ASD Essential Eight
Reach Maturity Level 3 across the ACSC's eight prioritised mitigation strategies.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Penetration Testing
Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.
Where CIRMP shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Critical Infrastructure
SOCI Act-aligned OT/ICS cybersecurity for energy, water, telecommunications, transport and data-storage operators.
Aviation & Logistics
Cybersecurity for airports, airlines, freight forwarders, ports and supply-chain operators under SOCI, MTOFSA and ICAO.
Healthcare & Pharma
Cybersecurity for hospitals, health services, life-sciences and aged care - where patient safety and sensitive health data never pause.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.