CIRMP Compliance Without the Confusion

What SOCI Regulated Entities Actually Need to Do

For many organisations falling under the Security of Critical Infrastructure (SOCI) Act, the introduction of the Critical Infrastructure Risk Management Program (CIRMP) obligations has created more confusion than clarity.

Boards are signing declarations. Security teams are chasing templates. Executives are fielding compliance updates with rising urgency. And still, many organisations are asking the same question: What exactly are we required to do and how do we know we’ve done it properly?

Let’s break it down clearly, practically, and with a focus on what GRC4 sees in the field.

The CIRMP Rule in Plain English

Introduced under the 2022 amendments to the SOCI Act, the CIRMP rule requires certain critical infrastructure entities to establish, implement, and maintain a documented risk management program that:

  1. Takes an all-hazards approach to security risks (not just cyber)
  2. Is proportionate to the size, complexity, and risk profile of the asset
  3. Includes governance and oversight by accountable decision-makers
  4. Is reviewed annually and approved by the board (or equivalent)

That’s the legislative intent, but what does that actually look like in practice?

Four Risk Domains, One Framework

The SOCI CIRMP Rule requires organisations to address security risks across four specific domains:

  1. Physical Security and Natural Hazards
    E.g. unauthorised access, vandalism, protest disruption, flood, fire, storms
  2. Cyber and Information Security
    E.g. ransomware, data breaches, system availability failures
  3. Personnel Security
    E.g. insider threats, unauthorised access by staff or contractors
  4. Supply Chain and Outsourcing Risk
    E.g. third-party service provider vulnerabilities, single points of failure

Your CIRMP must show that you’ve identified, assessed, and applied appropriate controls across all four areas. Not one or two. All of them.

And importantly, it’s not enough to say, “we’re compliant.” You need to demonstrate how risks are being managed, mitigated, and monitored in each domain aligned to ISO 31000 principles and proportional to your risk exposure.

What GRC4 Sees in Practice

GRC4 has worked with a range of SOCI-regulated entities from government water utilities to private sector data centres and we consistently see five areas where confusion, gaps, or false confidence emerge.

1. Overreliance on Cyber-Only Controls

Many organisations assume that because they have an Information Security Management System (ISMS) or follow ISO 27001, they’re already compliant.

Not quite. The CIRMP is broader. It requires integration of physical and operational risk not just IT. A secure firewall doesn’t mitigate risks like tailgating, protest activity, or unvetted contractors on site.

We help clients by mapping their cyber posture against the other three domains to ensure the program is balanced and complete.

2. No Clear Owner for the CIRMP

Too often, CIRMP accountability is split across teams: risk owns one part, cyber owns another, legal tracks the compliance requirement, and no one sees the full picture.

CIRMP governance requires clear, named ownership both operationally and at board level. Someone needs to coordinate input, keep the document live, and report on progress. We often work with CISOs or Chief Risk Officers to clarify and document this structure.

3. Poor Integration with Existing Frameworks

Many organisations have risk registers, security plans, and compliance programs already in place. The CIRMP isn’t asking for a whole new system it’s asking for those pieces to be connected, documented, and governed under a unified framework.

We frequently assist clients in integrating existing ISO 27001, ISO 22301, or PSPF/ISM controls into their CIRMP so they’re not reinventing the wheel but rather linking it all together.

4. Static, One-Off Assessments

CIRMP obligations include annual board sign-off and ongoing improvement. A one-off consultant report from 2022 doesn’t meet the requirement. Nor does a document that’s never reviewed, updated, or tested.

CISC (the regulator) expects live risk programs, ongoing treatment tracking, and regular reassessments, especially when the threat landscape changes. We often support clients with annual reviews or scenario testing to meet this standard.

5. Lack of Scenario-Based Thinking

It’s not enough to list threats. The program must demonstrate how the entity plans to prevent, respond to, and recover from events that could materially impact critical infrastructure services.

This includes scenario planning. What if a flood knocks out your generator? What if a contractor bypasses access controls? What if your supplier’s systems are compromised?

We help clients build scenario-based assessments and treatment plans often using tabletop exercises or response drills to validate real-world readiness.

What CIRMP Compliance Requires (And What It Doesn’t)

There’s a lot of noise around CIRMP obligations. So let’s make a few things very clear.

✅ What You Do Need:

  • A structured document that addresses risks across all four domains
  • A documented methodology for identifying, assessing, and treating risk
  • Clear evidence of controls in place (not just plans to improve)
  • Governance structures showing oversight, review, and accountability
  • Board approval annually, and proof of review cycles
  • Proportionality, the program must reflect your actual risk exposure, not just use generic templates

❌ What You Don’t Need:

  • A 200-page report full of jargon and legalese
  • A brand-new GRC platform (though software can help)
  • To duplicate existing compliance work if it’s already aligned
  • To do it all at once; maturity pathways are acceptable when documented
  • To go it alone without support or external guidance

The goal is not to create more paperwork. The goal is to build and demonstrate a mature, operationally integrated approach to critical risk management.

GRC4’s Compliance Enablement Model

At GRC4, we don’t just run risk workshops and hand over a template. We support clients with an end-to-end compliance enablement model designed around the real-world operational needs of critical infrastructure entities.

Here’s how we deliver:

1. CIRMP Templates and Frameworks

We provide board-ready CIRMP templates that are aligned to ISO 31000 and the SOCI Rule. These include:

  • Threat domain mapping
  • Risk assessment matrices
  • Control libraries
  • Roles and responsibilities structure
  • Annual review and sign-off guidance
  • Gap analysis against existing controls

2. On-Site and Desk-Based Assessments

We conduct physical and operational site visits where appropriate, and desktop reviews where needed, tailoring the level of effort to your budget, asset size, and complexity.

3. Stakeholder Facilitation

We bring together internal stakeholders from cyber, operations, legal, safety, executive leadership, to ensure the CIRMP reflects a shared understanding of risk and accountability.

4. Board Alignment and Briefing Support

We provide executive summaries and board presentations as part of our deliverables helping ensure leadership not only signs off but understands their obligations.

5. Ongoing Support Options

We can support periodic updates, integrate CIRMP findings into enterprise risk registers, and offer re-engagement annually to ensure your documentation stays aligned with threat evolution and regulatory expectations.

Why This Matters: Beyond the Regulator

Yes, CIRMP is a compliance requirement. But it’s also a strategic opportunity.

Organisations that approach CIRMP with the right mindset gain:

  • A clearer understanding of critical dependencies and vulnerabilities
  • Improved coordination between departments
  • Greater executive visibility over systemic risk
  • More defensible positions in the face of regulator or auditor scrutiny
  • Better decision-making in the face of emerging threats

In short: CIRMP done right improves your whole-of-business resilience. It isn’t just for the regulator. It’s for you.

Final Thought

CIRMP compliance doesn’t have to be overwhelming, but it does have to be done properly.

The stakes are too high, and the scrutiny too real, for organisations to rely on generic templates, siloed assessments, or once-a-year paperwork cycles. Today’s threat environment demands integrated, operationalised, and well-governed risk programs that speak to leadership and stand up to inspection.

At GRC4, we help critical infrastructure owners and operators move from confusion to clarity. From fragmented documentation to unified strategy. From reactive risk reviews to proactive governance.

Because compliance is just the beginning. Confidence is the goal.

WANT TO KNOW MORE?

Schedule a Call

Book a Discovery Call Now

more insights