AlvorAdvisory

Assess · Critical infrastructure

SOCI Act readiness, across all four hazard domains.

If you are a responsible entity for a critical infrastructure asset, the SOCI Act requires a risk-management program that addresses cyber, physical, personnel, and supply-chain hazards, with annual board sign-off and mandatory incident reporting. We assess the program you have against the program the Act expects, and ground the cyber domain in a recognised ACSC baseline.

Book a consultation All engagements

Scope agreed in writing before any work. No obligation.

SOCI Act · CIRMP rulesEssential Eight · ACSC ISMFour hazard domains, one program

Three positions critical-infrastructure operators are in.

Newly captured by the regime

Successive amendments have expanded the asset classes the SOCI Act covers, and you may be a responsible entity without having built for it. The first task is confirming exactly which obligations apply to you, before assuming the worst or the least.

A CIRMP that needs proving

You have a risk-management program on paper, but it has not been tested against the four hazard domains the rules require, and the annual board attestation is approaching. You need to know it holds before you sign it.

Cyber hazard maturity in question

The rules contemplate meeting the cyber hazard through a recognised framework, and you need an honest read of where your Essential Eight or ISM maturity actually sits against that bar.

The method

How we read you against the SOCI obligations.

Obligations confirmed first

Before any assessment, we establish which of your assets are captured, which obligations attach, and whether the enhanced obligations for systems of national significance apply. Scoping the duty correctly is half the value.

All four hazard domains, not just cyber

The Critical Infrastructure Risk Management Program is reviewed across the cyber and information-security, physical and natural, personnel, and supply-chain hazard domains, because the rules treat them as one program and so should you.

Cyber hazard on a recognised baseline

The rules contemplate addressing the cyber hazard through an established framework. We assess that domain against the ACSC Essential Eight, or the broader Information Security Manual where it applies, so the cyber posture is measured, not asserted.

Reporting and attestation ready

We test your readiness against the mandatory incident-reporting timeframes and prepare the program for its annual board attestation, so the obligations that carry the sharpest consequences are the ones you are most ready for.

What you are commissioning

The program and its cyber foundation.

This page is backed by two named engagements from the Assess track: a readiness review of your Critical Infrastructure Risk Management Program, and the Essential Eight maturity assessment that grounds its cyber hazard domain. Each is scoped on its own.

Assess trackTypically 3–5 weeks

SOCI Risk Management Program Readiness

Stand up the risk-management program the SOCI Act requires, across all four hazard domains.

Best for responsible entities for assets covered by the SOCI Act.

Includes

Your obligations confirmed: which assets are covered, and whether enhanced obligations for systems of national significance apply
A Critical Infrastructure Risk Management Program reviewed across the cyber, physical, personnel, and supply-chain hazard domains
Cyber hazard maturity assessed against a recognised ACSC framework (the Essential Eight or the ISM), as the rules contemplate
Incident-reporting readiness against the mandatory 12-hour and 72-hour timeframes

Deliverables

CIRMP gap assessmentFour-domain hazard registerIncident-reporting readiness check

Assess trackTypically 2–3 weeks

Essential Eight Maturity Assessment

Know your Essential Eight maturity level, and what it takes to reach the next one.

Best for Australian teams holding themselves to the ACSC baseline.

Includes

Each of the eight mitigation strategies assessed against the ACSC Maturity Model, scored Maturity Level Zero to Three
Evidence-based review across application control, patching, macro settings, application hardening, administrative privileges, MFA, and backups
Alignment to the broader ACSC Information Security Manual where it applies to you
A clear path to the target maturity level you actually need, not Level Three for its own sake

Deliverables

Essential Eight maturity scorecardPer-strategy gap analysisUplift roadmap

The foundation

A program is only as sound as its cyber hazard.

The risk-management program spans four domains, but cyber is where most operators carry the most exposure and the most scrutiny. We ground it in a baseline you can evidence.

1The CIRMP review reads all four hazard domains against the rules, typically in three to five weeks
2The Essential Eight assessment scores the cyber hazard on the ACSC maturity model
3Both resolve into one register and a program ready for board attestation

Questions

What teams ask about this engagement.

How do we know if the SOCI Act even applies to us?

That is the first thing we establish. The Act covers defined asset classes across the critical-infrastructure sectors, and the obligations that attach, from the risk-management program to enhanced duties for systems of national significance, depend on which class you fall in. We confirm your status before assessing against duties you may not carry.

What is a CIRMP?

The Critical Infrastructure Risk Management Program: the program the rules require responsible entities to adopt and maintain, identifying and mitigating material risks across four hazard domains, cyber and information security, physical and natural, personnel, and supply chain, with annual board approval.

Why pair this with an Essential Eight assessment?

Because the cyber hazard domain has to be met against a recognised standard, and the Essential Eight is the baseline most Australian operators reach for. Grounding the cyber domain in a scored maturity assessment turns an assertion in the program into evidence behind it.

What are the incident-reporting obligations?

Critical infrastructure assets carry mandatory cyber-incident reporting to the Australian Government, with a 12-hour timeframe for incidents having a significant impact and 72 hours for a relevant impact. We test that you can actually meet those clocks, not just that a policy names them.

Do you also handle IRAP or government assessments?

Where your obligations extend to the Information Security Manual, we assess against it, and we scope and prepare you for an IRAP assessment where one is required. The formal IRAP assessment itself is conducted by an endorsed assessor, the same separation of builder and judge we keep everywhere.