Security of Critical Infrastructure Act Compliance Services

Siege Cyber focuses specifically on the cyber security and information security hazard vector of your CIRMP, because that is where our expertise sits and where most organisations need the most help.

We do not try to be everything to everyone. We are upfront about what sits inside our scope and what requires a specialist in physical security, personnel vetting, or operational technology. That transparency is something our clients consistently tell us they appreciate.

Here is what you get when you engage us for SOCI Act compliance:

• A cyber security gap analysis mapped against your chosen framework (ISO 27001, NIST CSF, or the ASD Essential Eight), with findings clearly documented and prioritised

• Development and implementation of the cybersecurity controls required under your CIRMP, aligned to the approved framework

• Vulnerability assessments and penetration testing of your critical infrastructure IT environment

• An incident response plan built to meet SOCI's mandatory reporting timelines: 12 hours for critical incidents and 72 hours for other incidents to the ACSC

• Tabletop exercises to test your team's readiness to respond under pressure

• Security awareness training for staff who touch critical assets

• All the policies, procedures, and governance documentation required to support your CIRMP

• Firewall and cloud security reviews for critical infrastructure IT systems

• Ongoing vCISO support to maintain your compliance position and deliver the quarterly cyber risk updates to the board that the SOCI Act specifically requires

Not sure which framework your CIRMP should be built on? We can walk you through the options in a free initial conversation. There is no commitment required.

Our Process

We keep engagements structured and predictable. You will always know where you are, what comes next, and what is expected of you at each stage.

1. Free Initial Consultation - We have a straight conversation about your situation. Which asset class applies to you, what obligations are triggered, what you already have in place, and what gaps are likely. You leave with a clear picture of what is involved.

2. Scoping and Framework Selection - We confirm the scope of your CIRMP cyber security obligations and agree on the appropriate compliance framework, whether that is ISO 27001, NIST CSF, or the ASD Essential Eight. We document the scope formally so there are no surprises later.

3. Gap Analysis and Risk Assessment - We conduct a thorough assessment of your current cyber security controls against the chosen framework. We identify gaps, assess your risk exposure across critical assets, and produce a prioritised remediation roadmap.

4. Control Implementation and Documentation - We work with your team to implement the required controls and develop all supporting documentation: policies, procedures, incident response plans, asset registers, and governance frameworks. Timeline varies based on the size and complexity of your environment.

5. Penetration Testing and Validation (Ongoing or Scheduled) - We test your environment against real-world attack techniques to validate that controls are working as intended and to meet the testing obligations under your CIRMP.

6. Ongoing vCISO Support and Board Reporting - We provide ongoing support to maintain your compliance position, keep controls current as threats evolve, and produce the quarterly cyber risk reports your directors are required to review under the SOCI Act.

Who This Is For

This service is for Australian organisations that have been identified as responsible entities under the Security of Critical Infrastructure Act 2018, or that reasonably believe they may be covered and need to understand their position.

In practical terms, we work well with:

• Technology companies, SaaS providers, and data storage or processing organisations that fall under the data storage or processing assets class

• Mid-sized businesses in regulated sectors (financial services, health, logistics, communications) who have recently received guidance that the SOCI Act may apply to them

• CTOs and IT managers at organisations with 50 to 500 employees who are managing compliance alongside a busy day job and do not have an in-house security team

• Boards and leadership teams who have received a notification from the Department of Home Affairs and need a clear, practical response

You do not need to have everything figured out before you call us. Most of our clients come to us at the beginning of the process, when they are still working out what the Act actually requires of them. We are comfortable starting from scratch.

If your environment includes significant operational technology or industrial control systems (SCADA, ICS), we will be upfront with you about where our scope ends and where you will need a specialist OT security provider alongside us.

Why Siege Cyber

There are a lot of firms claiming to do SOCI Act compliance work. Here is what makes our approach different.

We are built for the cyber pillar. The SOCI Act requires your CIRMP to be underpinned by a recognised cybersecurity framework. ISO 27001, NIST CSF, and the ASD Essential Eight are the three approved options. These are the exact frameworks we work with every day. We are not generalist consultants who have added SOCI to a long list of services. This is core work for us.

We have done the groundwork on Australian regulations. We understand how the SOCI Act intersects with related obligations including the Australian Privacy Act 1988, APRA CPS 234, and the Cyber Security Act 2024 ransomware payment reporting requirements. When your compliance picture is more complex than just SOCI in isolation, we can help you see the full picture.

We understand board-level obligations. The SOCI Act places specific obligations on directors, including reviewing quarterly cyber risk reports. Our vCISO service is specifically designed to bridge the gap between technical security work and what your board needs to understand and sign off on.

We are transparent about scope. We will tell you upfront what sits inside our expertise and what requires a different specialist. Physical security assessments, personnel vetting, OT/ICS environments, and formal legal determinations about whether the Act applies to you are all areas where we will point you to the right people. That honesty is rare in this industry.

Frequently Asked Questions

Does the SOCI Act actually apply to my business?
The SOCI Act covers 22 asset classes, including data storage and processing, financial market infrastructure, communications, health, water, energy, and transport. Whether your business is a "responsible entity" depends on the specific nature of your operations and your relationship to a critical infrastructure asset. We can give you a practical read on your situation, but a formal legal determination requires advice from a specialist regulatory lawyer. If you are genuinely unsure, the first step is a conversation with us and, where necessary, a referral to a firm with SOCI legal expertise.

What is a CIRMP and do I need one?
A Critical Infrastructure Risk Management Programme is a structured plan that identifies the risks to your critical infrastructure assets and sets out how you manage them. Responsible entities under the SOCI Act are required to develop and maintain a CIRMP that covers four hazard vectors: cyber security, physical security, personnel security, and supply chain. The cyber security vector is where Siege Cyber focuses.

Which cybersecurity framework should my CIRMP use?
The SOCI Act currently recognises ISO 27001, NIST CSF, and the ASD Essential Eight as approved frameworks for the cyber security hazard vector of your CIRMP. The right choice depends on your existing controls, your sector, and your broader compliance obligations. If you are already pursuing ISO 27001 certification or have existing NIST-aligned controls, it usually makes sense to build your CIRMP around the same framework. We can help you make that call during our initial scoping work.

What are the mandatory incident reporting timelines under the SOCI Act?
Responsible entities must report critical cyber security incidents to the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) within 12 hours of becoming aware of the incident. Other cyber security incidents must be reported within 72 hours. Your incident response plan must be built around these timelines, with clear internal escalation paths, defined roles, and documented procedures. We build this into every CIRMP engagement.

What is the connection between the SOCI Act and the Cyber Security Act 2024?
The Cyber Security Act 2024 introduced mandatory ransomware payment reporting obligations that apply to all entities covered by the SOCI Act. If your organisation makes a ransomware payment, you are required to report it to the government within a defined timeframe. We can help you develop the policies and internal procedures to manage this obligation as part of your broader CIRMP work.

Do I need to manage all four hazard vectors of my CIRMP with the same consultant?
No. It is entirely reasonable, and in most cases practical, to engage different specialists for each hazard vector. Physical security and environmental risk assessment requires a different skill set to cyber security. Personnel vetting and workforce screening sits with specialist providers. We focus on the cyber security and information security hazard vector, which is typically the largest and most complex component of the CIRMP. We are happy to work alongside your physical security advisers, HR consultants, and legal team.

How long does a SOCI Act CIRMP engagement typically take?
The initial gap analysis and framework selection can usually be completed within three to four weeks. Building out the full CIRMP documentation, implementing controls, and completing penetration testing typically takes three to six months depending on the size and complexity of your environment. Ongoing vCISO support continues from there. We give you a realistic timeline at the outset so you can plan accordingly.

Ready to Take This Seriously?

If the SOCI Act applies to your organisation, you have real obligations and the clock is already running. The good news is that the cyber security component of your CIRMP is manageable with the right partner alongside you.

We offer a free 30-minute initial consultation. In that call, we will look at your situation honestly, give you a clear sense of what is involved, and tell you exactly how we can help. No obligation, no sales pitch, just a straight conversation.