On-Premise GRC Software on Singapore GCC: A 2026 Guide
On-premise GRC software on Singapore GCC: deployment models, IM8 compliance, and platforms (Cyber Sierra, ServiceNow IRM, Archer, IBM OpenPages) ranked by GCC readiness.
AI Trailblazer AwardWinner, Smart Nation Singapore & Google
If you’re an Australian organization handling critical infrastructure assets, you have less than three months to be CIRMP (Critical Infrastructure Risk Management Program) compliant! All responsible entities must implement a risk management program as per CIRMP rules by 17 August 2023.
Here’s a quick lowdown on the CIRMP rules. Read on to know if you need to comply, and, if yes, what should you implement before the deadline to meet the core CIRMP requirements.
For the uninitiated, on 17 February 2023, the Australian Government introduced the CIRMP rule. Governed by the Security of Critical Infrastructure Act 2018 (SOCI Act), this is the latest rule introduced by the Australian government to safeguard the country against global cyber threats and uplift the core security practices of critical infrastructure (CI) assets.
CIRMP stands for Critical Infrastructure Risk Management Program. It is a set of requirements that entities responsible for critical infrastructure assets (CIAs) must meet under the Security of Critical Infrastructure Rules 2023 in Australia.
The rule states that entities responsible for CIAs must implement a critical infrastructure risk management program by 17 August 2023.
A material risk as per CIRMP is a risk that has a significant impact on the ability of a critical infrastructure asset to perform its critical functions. This could include risks that could lead to the impairment, stoppage, loss of access to, or interference with the asset.
Section 6 (a-e) of the Rules provides the parameters of a material risk.
The Australian Cyber Security Centre (ACSC) has provided some guidance on what constitutes a material risk in the context of the CIRMP. This guidance includes the following factors:
The concept of material risk, however, isn’t absolute and each entity will need to assess the risks to its own assets on a case-by-case basis.
Here are some examples of material risks that could affect critical infrastructure assets:
A cyber attack that could disrupt or disable the asset’s IT systems.
A physical attack that could damage or destroy the asset.
A natural disaster that could cause the asset to be unavailable.
A human error that could lead to the asset being misused or damaged.
The CIRMP requires entities responsible for critical infrastructure assets to identify and assess the material risks to their assets. This assessment should be documented in the CIRMP and should be reviewed and updated on a regular basis. The entity should also implement measures to mitigate the material risks to its assets.
A ‘material risk’ to a critical infrastructure asset occurs when the risk has a
‘relevant impact’ on the asset. Section 6 (a-e) of the Rules provides the parameters
of a material risk.
These include the risk of impairment, stoppage, loss of access to or interference
with the asset.
What is a relevant impact?
A ‘relevant impact’ is an impact on the availability, integrity, and reliability of the
asset, and the impact on the confidentiality of information about the asset,
information stored in the asset if any, and, if the asset is computer data, the
computer data.
The relevant impact may be direct or indirect. It must be more serious than a
reduction in the quality of service being provided.
The CIRMP rule is important because it helps Australia’s critical infrastructure entities uplift their core security practices that relate to managing their critical infrastructure assets. It does so helping create a robust and proactive risk management program for organizations.
Market disruptions have increased the adoption of digital transformation among many businesses. While technologies such as automation, data processing, cloud, and AI improve productivity, security threats are also growing in intensity and complexity.
So, when your CI asset is disrupted by security threats, it can affect your business, the government, and the community. All of this can even damage the country’s economic growth.
Therefore, the only goal of CIRMP is to help Australian entities such as yours create a solid security program that will uplift the core security practices of your CI assets. When you have a strong security program as per the CIRMP rules, it’ll help you to,
To fully understand how the CIRMP rule came into place, you must know what the SOCI (Security of Critical Infrastructure) 2018 Act is about.
Compliance with CIRMP rules is not merely a matter of checking boxes; it is an ongoing process that requires organizations to fully implement and abide by the law’s principles. The CIRMP rules demand a comprehensive approach, with a particular emphasis on fortifying the cybersecurity of critical infrastructure.
This endeavour necessitates the collective effort of the entire vendor ecosystem, urging them to address any shortcomings and improve their practices.
The SOCI Act was amended in 2018 to improve the resilience of CI assets against security threats through carefully laid regulatory reforms and amendments. It was passed in two phases,
Together these two amendments form a framework with the following features:
Government Direction and Intervention (in effect since Dec 2021)
Positive Security Obligations – What Responsible Entities Need to Do to Ensure Compliance?
The CIRMP rules apply to all Australian entities that own and manage critical infrastructure assets. The Australian government has outlined 11 critical infrastructure sectors and 22 categories of CI assets that must comply with CIRMP, including entities that manage CI assets. This includes critical financial services assets, critical energy assets, and others.
For detailed definitions of asset rules, click here.
Organizations can comply with Australia’s CIRMP rules by following these four steps:
Step 1 – Describe CIRMP requirements based on your CI assets
Step 2 – Define the four key hazard vectors of your CI assets
Step 3 – Submit annual reports to the Commonwealth regulator
Step 4 – Maintain, review, and update CIRMP
Organizations must develop, maintain and update their CIRMP. Here’s a detailed overview of how you can achieve each of these steps.
Here’s a basic list of what you need to complete to develop your CIRMP.
Before you proceed further, here’s a quick look at the hazards that must be covered.
Here’s how you can identify hazards that pose material risks to your CI assets and mitigate their impact.
This comprises risks to your digital systems, computers, datasets, and networks that can affect the working of your CI assets. You need to state the cyber and information security hazards that could impact your CI assets.
Some of the biggest cyber threats include,
To minimize and eliminate these risks, as a responsible entity you must,
Here are some of the cyber frameworks you can consider implementing. Make sure to follow one that is appropriate for your CI assets. Note that there are no restrictions related to frameworks; if these aren’t suitable, you can choose a different one.
Personnel hazards cover workers and contractors who access sensitive information about your CI assets. You must, therefore, define activities such as proper onboarding, offboarding, background checks, and setting access controls for personnel.
Unauthorized access to the supply chain, upsetting the supply chain assets, and vendor risks are some of the hazards you must consider here.
You can consider measures to establish and maintain a system that prevents unauthorized access to the supply chain, misuse of given access, upsetting the supply chain assets, and bypassing threats in the supply chain caused by products, services, and personnel.
You must also address illegal physical access and natural hazards to critical components. So, don’t forget to make a note of the risks of such occurrences alongside the steps to mitigate their impact.
You need to submit your annual CIRMP reports to the applicable Commonwealth regulator by the end of the Australian financial year (28th September). This way, the Cyber Infrastructure Security Centre (CISC) and other related regulators can check if the program remains up-to-date. Besides, these entities can further advise you on the measures to strengthen the security of your CI assets.
The SOCI also requires organizations to maintain the CIRMP status. You can accomplish by:
Compliance with CIRMP rules is not merely a matter of checking boxes; it is an ongoing process that requires organizations to fully implement and abide by the law’s principles. The CIRMP rules demand a comprehensive approach, with a particular emphasis on fortifying the cybersecurity of critical infrastructure.
This endeavour necessitates the collective effort of the entire vendor ecosystem, urging them to address any shortcomings and improve their practices.
Cyber Sierra’s ThirdParty Risk Management module is custom-built to help organizations up their security game in accordance with the CIRMP rules. The automation platform is equipped to assist you in various areas, including developing new risk management practices, implementing appropriate security measures for your assets, educating your employees about cyber risks, adhering to sound TPRM practices, and making informed cyber insurance investments.
Our specialized continuous controls monitoring is designed to ensure you maintain complete control and serves as effective “reasonable security measures” in the event of a breach, preventing hefty penalties. Moreover, continuous control monitoring surpasses the limited sample-based testing of controls provided by audit firms; it is comprehensive, ongoing, and supported by data.
Schedule a free demo with our cybersecurity experts to learn how to enhance your risk management program in accordance with the Australian CIRMP rules.
The following sectors are subject to the Australian CIRMP obligations:
The CIRMP requires organizations to address four main areas: cyber and information security hazards, personnel hazards, supply chain hazards, and physical security and natural hazards.
In each of these areas, organizations must identify risks that could affect their assets, minimize or eliminate those risks, and mitigate the impact of any hazards on their assets. Specifically, in the cyber and information security domain, organizations need to comply with established cybersecurity standards and frameworks.
The deadline for implementing a CIRMP and complying with the controls is August 17, 2023, with full compliance required by August 17, 2024.
If a company doesn’t have or follow a CIRMP, it can be fined 1,000 penalty units or $275,000 per day. This applies to not meeting the obligations of the CIRMP, except for the annual reporting requirement, which carries a fine of 750 penalty units or $206,250 per day if not met. These penalties also apply if a company fails to fully implement their CIRMP.
Cyber Sierra’s continuous control monitoring offers ‘reasonable security measures’ in the event of a breach, preventing companies from paying hefty penalties for noncompliance.
Disclaimer – Detailed regarding the rules mentioned in this blog were sourced from CIRMP rules and SOCI act shared by the Australian Government. The contents of this blog are not a substitute for legal advice. You must always get professional advice or help for matters your organization may have.
Find out how we can assist you in completing your compliance journey.
Here is a complete guide on regulatory compliance and why it is important in 2024. Click to learn more on regulatory compliance.
NIST cybersecurity framework maturity levels are a way for organizations to gauge the strength of their cybersecurity controls and protocols for protecting, identifying, detecting, responding, and recovering from cyber threats over time.
Ever wondered why some businesses manage to stay ahead of regulatory changes and potential risks while others drown in the complexities of compliance standards and data security? The answer is simple: they have a robust compliance program in place. Any enterprise that handles sensitive data must monitor and control its information end-to-end. That’s where the […]