Cyber and Security Frameworks
Differences between Frameworks
Responsible entities that are subject to the Critical Infrastructure Risk Management Plan obligation must adopt and maintain a cyber security framework as per section 8 of the Security of Critical Infrastructure (Critical Infrastructure Risk Management Plan) Rules (SOCI CIRMP Rules).
The CISC is aware that the five listed frameworks each offer different benefits. Responsible entities should select the cyber security framework that best addresses the risk vectors that threaten their critical assets.
The cyber security framework obligation sets the baseline for cyber security in critical infrastructure assets. We encourage responsible entities to go beyond their legislative obligations , and may consider exceeding the maturity levels listed in the SOCI CIRMP Rules.
Alternative Frameworks
The five frameworks listed in the SOCI CIRMP Rules are not exclusive. Responsible entities can use an alternative framework if they consider it better addresses the risk vectors threatening an entity’s critical assets. An alternative framework may include a newer version of one of the five listed frameworks, or a framework that is not listed in the SOCI CIRMP Rules at all.
For instance, if state legislation prescribed a specific cyber security framework that is not listed in the CIRMP Rules, the responsible entity can proceed with applying the prescribed framework as an alternative framework. If a responsible entity is using an alternative framework they must specify in their CIRMP the equivalent frame work used and their decision-making process showing how the equivalent cyber framework best addresses the cyber hazard.
Updates to legislation
The cyber security framework obligation sets the cyber security baseline for critical infrastructure assets. The implementation of an approved cyber security framework will ensure a consistent level of cyber security maturity. Over time this baseline may be increased through legislative change.
The SOCI CIRMP Rules can be updated through ministerial instruments following public consultation. As new versions of the existing five cyber security frameworks are released, the CISC will consider whether the SOCI CIRMP Rules require updating.
If responsible entities propose a new cyber security framework that achieves the required cyber security maturity, and demonstrated equivalence with other standards, we will consider whether it should be added to the list of existing cyber security frameworks.
CIRMP Annual Report
Security framework vs cyber security framework
The annual report form includes questions about both cyber security frameworks and security frameworks. Responses to these questions will help inform government about frameworks in use by industry, and industry maturity against those frameworks. For the 2023-24 financial year compliance with a prescribed cyber security framework is not mandatory. The obligation begins after 17 August 2024. To read more about this visit SOCI Compliance - CIRMP Annual Report and Cyber Security Frameworks.
Feedback on CIRMP Annual Reports
The CISC will give general feedback to industry on CIRMP Annual Report process. This includes insights into the level of reporting and compliance with the CIRMP obligation. This will be similar to the 2023 CIRMP voluntary annual report update. It will give a sector breakdown and information about whether reports were of a satisfactory standard and areas of potential improvement. The CISC will share insights and general information to prevent unauthorised disclosure of protected information.
Board approval on CIRMP Annual Report.
The required elements of a CIRMP annual report are approved by the board, council or other governing body for a critical infrastructure entity. A responsible entity must submit CIRMP annual report to the relevant Commonwealth regulator on an approved form. This form may change from time to time but the elements for governing body approval are specified in legislation at section 30AG (2)(c) & (d) of the SOCI Act.
Critical Infrastructure regulation
Sharing information with other regulators
CISC are progressively working with other Commonwealth regulators to set up formal arrangements for sharing protected information. This will also guide the use of powers under the SOCI Act and other sector specific legislative frameworks.
Critical Infrastructure Incidents
There is no way to avoid every risk, and protect against all possible incidents. We must accept some risk and mitigate its impact as much as practicable. The CISC does not expect responsible entities to exercise control over other entities or situations where this is not possible. CISC asks that entities mitigate material risks as far as is practicable. They may need to re-examine of existing contracts and consider supply chain and procurement methods. The CIRMP ensures measures are in place to impair, stop or slow an asset, not to remove all potential risk.
Compliance auditing
Audit process
The CISC will be releasing guidance in the future that will help responsible entities better understand the CISC’s audit process. It will also enable self‑assessment of their compliance with SOCI obligations. When undertaking audits, the CISC will consider whether an entities’ self-assessment was reasonable. In general, an independent third party audit report commissioned by the governing body is considered to be best practice and entities are encouraged to attach the results of such audits to their annual report. Where this is provided, the likelihood of an entity being selected for audit given the higher level of assurance that is being provided to the CISC, will be reduced.
TISN Survey and Trial audit results
We conducted a survey of TISN members in early 2024. The survey used a scale of fully, mostly, partly, or non-compliant for self‑assessing anticipated compliance with the CIRMP’s cyber security framework deadline. A limited series of trial audits was also started in early 2024 and is ongoing.
The CISC will release guidance based on the results from the trial audits as well as the process used to determine maturity level and compliance rating at a later date.
Non-compliance
Where a responsible entity believes it will be non-compliant with the CIRMP cyber security framework requirement post 17 August 2024, the entity should give the following information:
- components of the cyber security framework in place
- outstanding components of the cyber security framework
- any roadblocks that are preventing full compliance
- a Board approved plan and timeframe for coming into compliance with periodic progress reporting for achieving compliance
- CISC will review the reasons and circumstances for non-compliance, as part of our compliance and enforcement activities.
We will also monitor periodic progress reporting to ensure entities become compliant as soon as possible.
CISC does not have the ability to grant extensions of time for entities to meet CISC obligations. Engage proactively and contact the CISC via enquiries@CISC.gov.au
