Compliance

SOCI Act

How Scrutex Supports SOCI Act Compliance for Critical Infrastructure

Sign up for freeAll Frameworks

Executive Summary

The SOCI Act requires critical infrastructure entities to implement a Critical Infrastructure Risk Management Programme (CIRMP) covering cyber, personnel, supply chain, and physical security. The CIRMP requires adopting a recognised cybersecurity framework. Scrutex supports the cyber component of the CIRMP with continuous external monitoring, supply chain risk management, threat intelligence, and compliance reporting for annual CIRMP reports.

About SOCI Act

The SOCI Act was significantly expanded in 2021-2022 to cover 11 critical infrastructure sectors. The CIRMP obligation requires risk management across cyber, personnel, supply chain, and physical security. Government assistance measures allow ASD intervention in serious incidents. Annual CIRMP reports must be submitted to sector regulators.

Geographic and Sector Applicability

Applies to responsible entities owning or operating critical infrastructure assets across 11 defined sectors. Covers utilities, banks, hospitals, universities, data centres, and transport operators, among others.

Who Should Care

Board

The CIRMP must be approved by the board or governing body.

CISO

Owns the cyber component of the CIRMP.

Chief Risk Officer

CIRMP is a risk management programme requiring CRO oversight.

Supply Chain / Procurement

CIRMP explicitly covers supply chain risks.

Key Risks of Non-Compliance

!

Civil penalties for failure to maintain a CIRMP.

!

Government intervention powers under the assistance measures.

!

Sector regulator enforcement actions.

!

Annual reporting failures creating regulatory scrutiny.

Common Compliance Gaps

Insufficient External Visibility

Critical infrastructure operators need comprehensive visibility of their internet-facing exposure to manage cyber risk effectively.

Supply Chain Blind Spots

The CIRMP requires supply chain risk management. Many operators lack continuous monitoring of their technology supply chain.

How Scrutex Supports SOCI Act Compliance

Scrutex capabilities mapped to SOCI Act requirements.

Vulnerability Insights

CIRMP cyber risk management requires identifying and managing external exposure. Scrutex discovers and monitors critical infrastructure systems visible from the internet.

Scrutex Capabilities

  • Critical infrastructure exposure detection
  • Vulnerability assessment
  • Configuration monitoring

Requirements Addressed

  • CIRMP: Cyber risk identification and management
Data Exposure Insights

Critical infrastructure is a priority target. Scrutex monitors for credentials, leaked data, and threat intelligence targeting infrastructure sectors.

Scrutex Capabilities

  • Infrastructure credential monitoring
  • Dark web surveillance
  • Telegram monitoring

Requirements Addressed

  • CIRMP: Cyber threat detection
Vendor Insights

CIRMP explicitly covers supply chain risk. Scrutex provides continuous monitoring of technology supply chain partner security posture.

Scrutex Capabilities

  • Supply chain security monitoring
  • Vendor risk scoring

Requirements Addressed

  • CIRMP: Supply chain risk management
Threat Insights

Critical infrastructure faces nation-state and criminal threats. Scrutex provides curated intelligence including ransomware tracking and threat actor campaigns.

Scrutex Capabilities

  • Ransomware intelligence
  • Threat actor tracking
  • Critical infrastructure IOC feeds
  • Campaign monitoring

Requirements Addressed

  • CIRMP: Threat awareness and preparedness

Compliance Reporting

Annual CIRMP reports require documented evidence of cyber risk management. Scrutex provides structured reporting aligned with CIRMP requirements.

Scrutex Capabilities

  • CIRMP annual report evidence
  • Board-level reporting
  • Sector regulator documentation

Requirements Addressed

  • Annual CIRMP reporting obligation

Quick-Start Compliance Checklist

1

Run external discovery for critical infrastructure assets.

2

Onboard supply chain partners into Vendor Insights.

3

Activate Data Exposure Insights for infrastructure credentials.

4

Enable critical infrastructure threat intelligence.

5

Generate CIRMP-aligned annual report evidence.

Summary

The SOCI Act creates binding obligations for critical infrastructure entities to manage cyber and supply chain risks. The CIRMP requirement demands structured, ongoing risk management. Scrutex supports SOCI compliance with continuous external monitoring, supply chain oversight, threat intelligence, and the compliance reporting needed for annual CIRMP reports.

Related Regulations and Standards

APRA CPS 234: Financial infrastructure entities face both.

Privacy Act / NDB: Data breaches trigger both frameworks.

Cyber Security Act 2024: New law complements SOCI obligations.

ISM: Government entities align with both ISM and SOCI.

Ready to Strengthen Your Compliance Posture?

Book a personalised demonstration and receive a complimentary external exposure assessment.

Sign up for freeRequest a demo