SOCI Act Compliance – Critical Infrastructure Security Monitoring

Meet your SOCI Act obligations with ThreatDefence. Continuous 24×7 security monitoring, mandatory incident reporting, CIRMP support and evidence-based SecOps for Australian critical infrastructure operators.

Book a Demo

Introduction

Australia’s Security of Critical Infrastructure (SOCI) Act 2018, significantly expanded by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, imposes strict cyber security obligations on operators of critical infrastructure assets. Whether you manage an electricity network, a water utility, a port, a hospital, or a data centre, the SOCI Act requires you to demonstrate ongoing risk management, rapid incident detection, and mandatory breach reporting — backed by evidence.

ThreatDefence delivers the detection, monitoring, and reporting capabilities that Australian critical infrastructure operators need to meet SOCI Act obligations today — and stay ahead of the evolving regulatory landscape.

What Is the SOCI Act?

The Security of Critical Infrastructure Act 2018 (Cth) is Australia’s primary legislation for protecting systems and assets that are essential to the nation’s economy, security, and social fabric. Following the 2021–2022 amendments, the SOCI Act now covers 11 critical infrastructure sectors and imposes a layered set of obligations:

Asset Register

Responsible entities must register their critical infrastructure assets with the Cyber and Infrastructure Security Centre (CISC).

Critical Infrastructure Risk Management Program (CIRMP)

Entities must adopt, implement, and annually report on a written risk management program covering cyber, personnel, supply chain, and physical hazards.

Mandatory Cyber Incident Reporting

Significant cyber security incidents must be reported to the Australian Signals Directorate (ASD) within 12 hours; other notifiable incidents within 72 hours.

System of Last Resort

The Australian Government may direct entities or intervene directly in the event of a serious cyber attack on national infrastructure.

Enhanced Obligations (Entities of National Significance)

A subset of highest-risk entities face additional requirements including proactive threat monitoring, incident response planning, and cyber security exercises.

Which Sectors Are Covered?

The SOCI Act applies to operators across the following 11 critical infrastructure sectors:

Sector	Examples
Communications	Telcos, internet service providers, broadcasters
Data Storage & Processing	Data centres, cloud providers, managed service providers
Defence Industry	Defence contractors and supply chain
Education & Research	Universities, research institutions
Energy	Electricity generation, gas pipelines, fuel storage
Financial Services & Markets	Banks, superannuation funds, payment systems
Food & Grocery	Supermarket distribution, cold chain logistics
Health Care & Medical	Hospitals, pathology, pharmaceutical supply
Space Technology	Satellite infrastructure, ground stations
Transport	Ports, airports, rail, freight
Water & Sewerage	Water utilities, desalination, wastewater

If your organisation owns, operates, or has direct interests in one of these sectors, you likely have binding SOCI Act obligations now.

The Core Cyber Security Challenge

The SOCI Act does not prescribe how you implement cyber security — but it holds you accountable for outcomes. Your CIRMP must demonstrate that you have identified hazards, assessed risks, and put in place controls. Regulators expect evidence, not promises.

Key challenges for infrastructure operators include:

Visibility Gaps

Legacy operational technology (OT) and IT networks are often siloed, leaving blind spots that attackers exploit.

Speed of Reporting

A 12-hour mandatory reporting window leaves almost no time to triage manually. Detection must be automated.

Evidence For Audits

Annual CIRMP reporting and regulator inquiries require structured, retrievable security records — not ad-hoc screenshots.

Resource Constraints

Many critical infrastructure operators run lean security teams that lack the capacity for 24×7 monitoring.

Supply Chain Risk

The SOCI Act explicitly includes supply chain hazards. You must monitor and account for risks introduced by third-party vendors and managed service providers.

How ThreatDefence Supports SOCI Act Compliance

ThreatDefence is an Australian-headquartered SecOps platform purpose-built for evidence-based security operations. Our Security Operations service integrates SIEM, NDR, deception, cloud visibility, and a 24×7 SOC — giving critical infrastructure operators the continuous monitoring, rapid detection, and structured reporting demanded by the SOCI Act.

Book a Demo

Continuous 24×7 Security Monitoring

SOCI Act obligations don’t clock off at 5 PM. ThreatDefence provides round-the-clock monitoring across your entire technology stack — IT networks, cloud environments, OT/ICS interfaces, endpoints, and third-party connections. Our Australian-based SOC analysts actively hunt for threats and escalate incidents in real time.

How this maps to the SOCI Act: – Supports mandatory cyber incident detection within reporting windows (12h / 72h) – Provides continuous evidence of monitoring activity for CIRMP audit purposes – Covers the “cyber hazards” category required under Schedule 2 of the CIRMP rules

Network Detection & Response (NDR)

ThreatDefence NDR provides deep packet inspection and behavioural analysis across your network, retaining weeks of evidence for rapid investigation. NDR is particularly critical for critical infrastructure environments where operational technology (OT) networks may not support traditional endpoint agents.

How this maps to the SOCI Act: – Extends detection coverage to OT/ICS and air-gapped adjacent network segments – Enables fast lateral movement detection — essential for meeting the 12-hour reporting window – Provides network-level evidence for incident reports and post-incident reviews

Cloud Visibility & Security Posture Management

Whether your critical infrastructure workloads run on AWS, Azure, or Google Cloud, ThreatDefence provides continuous cloud security posture management (CSPM) — detecting misconfigurations, excessive permissions, and cloud-native threats in real time.

How this maps to the SOCI Act: – Addresses “data storage and processing” obligations for cloud-hosted critical assets – Identifies and remediates misconfigurations that could lead to reportable incidents – Supports supply chain risk monitoring for cloud vendors and SaaS platforms

CIRMP Documentation & Annual Reporting Support

The CIRMP requires annual written reports to the responsible parties. ThreatDefence provides comprehensive security reporting dashboards and exportable evidence packages — showing what was monitored, what was detected, what was remediated, and what your residual risk posture looks like.

How this maps to the SOCI Act: – Directly supports the annual CIRMP report obligation under s. 30AC – Provides structured data for the “cyber hazard” section of your risk management program – Demonstrates ongoing improvement over time to satisfy regulator expectations

Next-Generation SIEM

Our Next-Generation SIEM ingests logs and security events from across your environment — firewalls, endpoints, cloud platforms, Active Directory, OT/SCADA systems, and more — and correlates them into actionable, high-confidence alerts. Critically, we retain structured, searchable evidence so you can reconstruct timelines for incident reports and regulator submissions.

How this maps to the SOCI Act: – Provides the audit trail and incident records required for mandatory reporting to ASD – Supports annual CIRMP reporting with structured security event data – Enables post-incident forensic analysis for Digital Forensics & Incident Response (DFIR)

Deception Technology

Deploy honeypots, honeytokens, and decoy assets across your environment to catch attackers who have bypassed perimeter defences. Deception technology provides high-confidence, low-noise alerts the moment an attacker interacts with a fake asset — giving you early warning with near-zero false positives.

How this maps to the SOCI Act: – Supports early detection requirements under enhanced obligations for Entities of National Significance – Provides additional evidence of proactive threat monitoring for CIRMP documentation – Detects insider threats and supply chain compromise vectors

Mandatory Incident Reporting Support

When an incident occurs, you have hours — not days — to notify ASD. ThreatDefence structured alert workflows, pre-built incident report templates, and SOC escalation playbooks help you meet reporting deadlines without scrambling.

How this maps to the SOCI Act: – Reduces time-to-report with automated detection-to-notification workflows – Provides structured incident data aligned to ASD’s Cyber Incident Reporting portal fields – Creates a defensible record demonstrating good-faith compliance efforts

SOCI Act Compliance Mapping

SOCI Act Obligation	ThreatDefence Capability
Cyber incident detection	24×7 SOC + SIEM + NDR
12-hour significant incident reporting	Automated alerting + SOC escalation playbooks
12-hour significant incident reporting	Structured incident workflows + report templates
CIRMP cyber hazard controls	Continuous monitoring, vulnerability management, CSPM
Annual CIRMP reporting	Security dashboards + exportable evidence packages
Enhanced cyber obligations (ENS)	Threat hunting, deception, penetration testing integration
Supply chain risk monitoring	Third-party log ingestion, dark web monitoring, threat intelligence
Post-incident forensics	DFIR capability + NDR evidence retention

Why Critical Infrastructure Operators Choose ThreatDefence

The regulatory and commercial consequences of Privacy Act non-compliance have never been higher:

Australian-headquartered: Data sovereignty and local compliance expertise matter. ThreatDefence is built and operated in Australia, with deep familiarity with SOCI Act, ACSC frameworks, and the Essential Eight.

Evidence-first philosophy: We don’t just generate alerts — we produce structured, retrievable evidence that satisfies regulators and auditors.

Scales to your team: Whether you have a 2-person security team or a large enterprise SOC, ThreatDefence fills the gaps with managed detection and 24×7 coverage.

Single licence, full stack: Full SecOps functionality, including SIEM, NDR, deception, cloud visibility, and SOC automation.

OT/IT convergence ready: Critical infrastructure often means operational technology networks. ThreatDefence supports OT/ICS visibility without requiring changes to production systems.

Frequently Asked Questions

Does the SOCI Act apply to my organisation?

If your organisation owns or operates a critical infrastructure asset captured by the Security of Critical Infrastructure Act 2018, it may have legal obligations under the regime. The Act applies across 11 critical infrastructure sectors, but whether it applies depends on the specific asset definitions, class rules, and your role as a responsible entity or direct interest holder. A practical first step is to review the asset definition guidance from the Critical Infrastructure Security Centre (CISC). ThreatDefence can assist with an initial gap assessment focused on cyber obligations under the SOCI framework.

What happens if we miss the 12-hour reporting deadline?

For reportable critical cyber security incidents, the SOCI Act imposes strict notification timeframes. If an entity fails to meet mandatory reporting obligations, civil penalties may apply. In serious cases, the Act also includes government assistance powers that can be used as a last resort where an incident creates a serious risk to Australia’s national interests. In practice, meeting the 12-hour deadline depends on timely detection, triage, escalation, and internal decision-making.

What is the difference between the 12-hour and 72-hour reporting requirements?

The SOCI Act distinguishes between more severe incidents and other reportable cyber incidents. Critical cyber security incidents must be reported within 12 hours after the entity becomes aware of the incident, while other reportable cyber security incidents must generally be reported within 72 hours. This distinction makes incident classification and escalation processes especially important.

What is the CIRMP, and what does it require?

The Critical Infrastructure Risk Management Program, or CIRMP, is a mandatory written program that requires responsible entities to identify and manage material risks affecting their critical infrastructure assets. It covers four core hazard areas: cyber and information security, personnel, supply chain, and physical and natural hazards. Guidance published by CISC also notes that protection of certain business-critical data and related data storage systems must be considered. ThreatDefence directly supports the cyber and information security component of CIRMP.The Critical Infrastructure Risk Management Program, or CIRMP, is a mandatory written program that requires responsible entities to identify and manage material risks affecting their critical infrastructure assets. It covers four core hazard areas: cyber and information security, personnel, supply chain, and physical and natural hazards. Guidance published by CISC also notes that protection of certain business-critical data and related data storage systems must be considered. ThreatDefence directly supports the cyber and information security component of CIRMP.

Do we need to submit a CIRMP annual report?

Yes, responsible entities subject to the CIRMP obligation are required to provide an annual report in the approved form. This report is about the program and compliance with it; it is not simply a one-time document. That makes ongoing governance, evidence collection, and periodic review important.

Do we need a 24×7 SOC to comply with the SOCI Act?Do we need a 24×7 SOC to comply with the SOCI Act?

The SOCI Act does not explicitly require a 24×7 SOC. However, if your organisation is subject to mandatory cyber incident reporting, continuous monitoring is often the most practical way to detect, assess, and escalate significant incidents in time to meet reporting deadlines. For many operators, a managed SOC is the most efficient way to achieve that operational readiness without building a full internal function. This is an operational recommendation rather than a direct statutory requirement.The SOCI Act does not explicitly require a 24×7 SOC. However, if your organisation is subject to mandatory cyber incident reporting, continuous monitoring is often the most practical way to detect, assess, and escalate significant incidents in time to meet reporting deadlines. For many operators, a managed SOC is the most efficient way to achieve that operational readiness without building a full internal function. This is an operational recommendation rather than a direct statutory requirement.The SOCI Act does not explicitly require a 24×7 SOC. However, if your organisation is subject to mandatory cyber incident reporting, continuous monitoring is often the most practical way to detect, assess, and escalate significant incidents in time to meet reporting deadlines. For many operators, a managed SOC is the most efficient way to achieve that operational readiness without building a full internal function. This is an operational recommendation rather than a direct statutory requirement.

What is a responsible entity under the SOCI Act?

A responsible entity is generally the organisation that owns or operates the critical infrastructure asset, although the exact definition varies by asset class and sector. The responsible entity carries many of the core obligations under the Act, including registration, risk management, and incident reporting where applicable.

What is a direct interest holder?

A direct interest holder is an entity that holds at least a 10% interest in a critical infrastructure asset, together with associates, or otherwise has the ability to directly or indirectly influence or control the asset. Direct interest holder obligations are narrower than those of responsible entities, but they can still be relevant under the Act.

What counts as a reportable cyber security incident under the SOCI Act?

Whether an incident is reportable depends on the legal definitions and whether the incident has the required level of impact on the asset. In practical terms, this usually means your organisation needs a process to quickly assess severity, operational impact, and whether the incident meets the reporting threshold. Legal interpretation should be confirmed against the Act and current guidance.

What happens after we report an incident?

After notification, government agencies may engage with the reporting entity for further information, coordination, or response support. If the incident is severe and national interests are at stake, the SOCI framework includes government assistance powers that can be used as a last resort. This is one reason why strong internal records, evidence capture, and incident management workflows matter.

What are Systems of National Significance?

Systems of National Significance, or SoNS, are the most nationally important critical infrastructure assets because of the cascading impact their disruption could cause. Entities responsible for SoNS may be subject to additional Enhanced Cyber Security Obligations on top of the baseline SOCI requirements.

Is ThreatDefence aligned to ACSC and Australian Government frameworks?

ThreatDefence can be positioned as aligned to Australian cyber security expectations and common frameworks used by regulated entities, including the Essential Eight, the Information Security Manual, and broader ASD and CISC guidance. For website wording, it is better to say “aligned to” or “supports alignment with” rather than implying formal certification by ASD or CISC. The ISM remains the Australian Government’s cyber security framework for protecting IT and OT systems, applications, and data.

Can ThreatDefence help with SOCI compliance?

ThreatDefence can support the cyber security aspects of SOCI compliance through continuous monitoring, log collection, detection engineering, incident response support, privileged activity monitoring, and evidence generation for internal governance and annual reporting. It does not replace legal advice or the organisation’s own accountability under the Act, but it can materially strengthen operational readiness. This is an implementation view rather than a statutory statement.

Why is continuous monitoring important for SOCI obligations?

Mandatory reporting timeframes are short, and they start once the entity becomes aware of the incident. That means compliance depends not only on policy, but on the ability to detect, investigate, classify, and escalate events quickly. Continuous monitoring helps reduce the gap between compromise and awareness, which is often the deciding factor in whether reporting deadlines can be met.

Our Approach

SecOps Platform

Partner Program

About Us

AI-Powered SecOps: Zero Human Touch, Maximum ROI.

University of Technology Sydney Cybersecurity Precinct

Securing the Future of Smart Cities

ThreatDefence Appoints Equinox Technologies as Value-Added Distributor for MEA

ThreatDefence at AISA CyberCon 2024

Our Contacts

More Info