Tell me in 30 seconds
Responsible entities who are submitting their 2025 Critical Infrastructure Risk Management Program (CIRMP) report should be aware that the form was updated by the Critical Infrastructure Security Centre (CISC) in April this year (see here).
While the amended webform retains the overall structure and substance introduced last year, it incorporates several new voluntary and mandatory questions that responsible entities should consider before they submit their Annual CIRMP Report by 28 September 2025.
Annual CIRMP Report - A quick refresher
Responsible entities who are required to comply with the CIRMP obligations under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) are required to submit an Annual CIRMP Report within 90 days after the end of the financial year.[1]
The Annual CIRMP Report requires responsible entities to provide the following:
- a declaration that the CIRMP was up to date at the end of the Australian financial year;
- details of any incidents that occurred that had a significant relevant impact on an asset during the year;
- an outline of any variations to the CIRMP that were made during the year;
- an evaluation of the program’s effectiveness in mitigating any relevant impacts that hazards may have had on that asset; and
- an attestation that the information contained within the Annual CIRMP Report was approved by the board or governing body of the entity.
In this Insight, we unpack the recent, 7 April 2025, CISC updates to the 2024/25 Annual CIRMP Report webform that introduced various voluntary and mandatory questions.
The 2024/25 Annual CIRMP Report can be submitted at any time between 1 July 2025 and 28 September 2025 using the CISC’s webform (see here).
For more information about Annual CIRMP Reports, see our previous Insight here.
New mandatory questions
Nomination of assurance process – Section 1
The CISC has introduced a new mandatory question seeking to understand what assurance process the board, council or governing body used to satisfy itself that the responsible entity had complied with its CIRMP obligations. A drop-down menu provides four responses:
- internal reporting mechanisms;
- internal audit;
- independent third-party audit; or
- other.
Variation of CIRMP – Section 3.4
The CISC has included a new mandatory follow-up question where a responsible entity selects that no hazard has had a significant relevant impact on an asset/s during the relevant period. The responsible entity is now required to answer whether the CIRMP was varied as a result of the occurrence of the hazard/s, and if so, outline such variation. This appears to be an error in the webform logic, as the SOCI Act makes it clear that the Annual CIRMP Report only needs to include a statement outlining a variation made to the CIRMP as a result of a hazard, where the hazard has had a significant relevant on the asset/s.
New voluntary questions
Critical Infrastructure Asset Details – Section 3.1
While a simple addition, responsible entities can now select which sector their asset/s relate to, when entering the asset/s details.
Risk Management Approach – Section 3.2
The most substantial addition to the Annual CIRMP Report is the expansion of Section 3.2 ‘Risk Management Approach.’ Here, the CISC has introduced a series of voluntary questions about risks and supply chain.
The CISC now seeks to understand what the highest priority risk area is for each responsible entity:
- cyber and information security hazards;
- physical security/natural hazards;
- personnel and supply chain hazards; and/or
- other.
Upon selecting a hazard, the responsible entity is required to provide further information on the specific type of hazard. For example, if the highest priority risk area is cyber and information security hazards, the Annual CIRMP Report will now prompt the user to select either one or multiple of the following examples: unauthorised access, component failure, denial of service attack, or other.
The CISC has also included questions on:
- the frequency of executive leadership and governance bodies assessing and reviewing the identified risks;
- whether the responsible entity has an alternate supply chain for critical operations or services in case of a disruption to primary suppliers;
- whether the responsible entity requires any major suppliers to undergo regular security audits, and if so, the frequency of those audits;
- whether the responsible entity requires any major suppliers to implement technical and operational controls to protect the responsible entity’s data; and
- whether the responsible entity requires its suppliers to notify it about any security incident or data breaches.
As stated, these additional questions are not marked as mandatory but provide the CISC with valuable information used to understand the threat environment as well as the entity’s approach to managing the risks that it has identified.
Further changes
Clarifications on security framework maturity levels - Section 3.3
The CISC has also clarified the questions surrounding the maturity levels of responsible entities’ adopted cyber security related frameworks and adopted security frameworks. Instead of a free text box, responsible entities are now required to select a maturity level, from Level 1 to Level 4, or other.
Now what?
If you are a responsible entity for a critical infrastructure asset that is subject to the CIRMP obligations under the SOCI Act, you should consider and ensure you can respond adequately to the new questions outlined above when preparing to submit your Annual CIRMP Report by 28 September 2025.
The CISC updates the Annual CIRMP Report webform once a year, so there will be no further changes for the 2024/25 reporting cycle.
Security of Critical Infrastructure Act 2018 (Cth) s 30AG.
How can technology can help us to reimagine productivity in the digital age?
Hear from our legal experts, the regulators and business leaders on the future of digitisation and regulation of AI, cyber, competition and digital assets.
