Security of Critical Infrastructure Act
The legislative framework that imposes cyber-security and risk-management obligations on responsible entities across 11 critical-infrastructure sectors.
What SOCI Act actually is.
The SOCI Act sets the baseline obligations for Australia's 11 critical-infrastructure sectors including communications, data storage and processing, financial services, water, healthcare, higher education, food and grocery, transport, space, defence industry, and energy. Key obligations include a register of critical-infrastructure assets, mandatory cyber-incident reporting, a Risk Management Program (CIRMP) and, for Systems of National Significance, enhanced cyber-security obligations agreed directly with the Minister.
"Responsible entities" for assets across 11 critical-infrastructure sectors. A separate class of "Systems of National Significance" carries additional obligations.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Register of critical-infrastructure assets
Provide operational and ownership information to the Register maintained by the CISC.
-
02
Cyber-incident reporting
Notify the ACSC within 12 hours of a critical incident and 72 hours of any other reportable incident.
-
03
Risk Management Program (CIRMP)
Identify and mitigate hazards across cyber, personnel, physical and supply-chain domains.
-
04
Enhanced cyber-security obligations
For Systems of National Significance only - vulnerability assessments, system-information periodic reporting, and cyber-security exercises.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
Security of Critical Infrastructure Act
cisc.gov.au/legislation-regulation-and-compliance
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against SOCI Act.
Assessment, engineering and operational services that line up with the framework's control areas.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Incident Response Retainer
Contracted response hours with defined SLAs - containment in minutes, not days.
Penetration Testing
Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.
Virtual CISO
Fractional security leadership embedded with your executive team.
Where SOCI Act shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Critical Infrastructure
SOCI Act-aligned OT/ICS cybersecurity for energy, water, telecommunications, transport and data-storage operators.
Aviation & Logistics
Cybersecurity for airports, airlines, freight forwarders, ports and supply-chain operators under SOCI, MTOFSA and ICAO.
Healthcare & Pharma
Cybersecurity for hospitals, health services, life-sciences and aged care - where patient safety and sensitive health data never pause.
Banking & Finance
APRA CPS 234 and CPS 230 aligned cybersecurity for banks, insurers, superannuation funds and RSE licensees.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.