CIRMP enhances cybersecurity compliance standards

Share

The Security of Critical Infrastructure Act 2018 (SOCI Act) includes the Critical Infrastructure Risk Management Programme (CIRMP) as a key element. Starting 1 July 2024, responsible entities must submit their initial CIRMP Annual Report by 28 September 2024. This report will comprehensively outline the cyber and information security framework for the financial year 2024-2025. 

Entities must adhere to the cyber and information security framework requirements by 17 August 2024. Following the CIRMP requirements, organisations strengthen the resilience and security of critical infrastructure, safeguard national interests, and boost public trust in essential services. 

Cybersecurity framework compliance

  1. Cyber and Information Security Framework

Entities must incorporate a strong cyber and information security framework within their CIRMP. This framework must outline the processes that manage risks and the security measures that comply with the SOCI Act. Deputy Secretary Hamish Hansford emphasised that thorough risk assessment protocols and incident response strategies are required by the framework to protect critical infrastructure. During the Town Hall on 30 July 2024, Hansford stated, “The cyber and information security framework is critical in ensuring that all aspects of risk management are covered comprehensively.” 

  1. Annual Report Compliance

The CIRMP Annual Report should demonstrate that it adheres to the stipulations set forth by the SOCI Act. The comprehensive documentation of cybersecurity measures, comprehensive risk assessments, and effective mitigation strategies are essential. The report must discuss any incidents or near-misses and detail the measures implemented to mitigate vulnerabilities. This requirement ensures clarity and responsibility in managing significant infrastructure risks.

  1. Regulatory Compliance Posture

The SOCI Act underscores the significance of upholding a regulatory compliance stance that includes following designated security standards and practices. The compliance stance requires organisations to consistently revise risk management approaches, adapt to shifts in the threat environment, and maintain continuous alignment with the evolving stipulations of the SOCI Act. The Town Hall focused on this crucial aspect and underscored the importance for organisations to remain aligned with regulatory expectations.

Reinforcing public sector cybersecurity

The CIRMP greatly improves cybersecurity within the public sector by fostering a culture of proactive risk management. Organisations must systematically evaluate and tackle vulnerabilities, which in turn minimises the chances of cyber incidents that could interfere with critical services.

  • Holistic Risk Management: The CIRMP promotes a holistic strategy that connects cybersecurity elements into wider operational structures for managing risk. This approach enhances the ability to withstand cyber threats, which upholds public confidence and ensures effective service delivery.
  • Enhanced Collaboration: The CIRMP enhances communication between critical infrastructure organisations and government regulatory bodies. Consistent reporting and interaction foster a collective awareness of the threat environment and motivate joint initiatives to enhance security protocols.
  • Accountability and Governance: Reports approved by the board foster a culture of accountability among leaders within the organisation. This governance framework ensures that decision-making processes prioritise cybersecurity, enhancing resource allocation and strategic planning.

Guidance for compliance

The Cyber and Infrastructure Security Centre (CISC) assists and directs organisations as they implement and comply with the Critical Infrastructure Risk Management Programme (CIRMP). The CISC acknowledges the necessity of delivering prompt support to accountable organisations to ensure they can manage risks effectively and uphold the resilience of essential infrastructure assets. The CISC urges responsible entities to proactively connect with the Centre if they foresee challenges in meeting CIRMP requirements. 

The CISC states, “Proactive engagement with our team ensures that responsible entities can develop a comprehensive forward plan for achieving compliance.” Engaging with the CISC at an early stage allows organisations to collaborate effectively and craft customised solutions and strategies to navigate compliance challenges. This method prompts actions and executes essential steps to adhere to timelines and uphold compliance with regulations.