🇦🇺 Australia SOCI / CIRMP Toolkit

Meet SOCI Act & CIRMP Exercise Obligations
with AI-Powered OT/ICS Tabletop Scenarios

Australia's Security of Critical Infrastructure (SOCI) Act and the CIRMP Rules require responsible entities to manage cyber and other hazards, report incidents to the ACSC on a two-speed clock, and submit a board-approved annual CIRMP report. CyberICS delivers 300+ ready-to-run OT scenarios with AI-generated After Action Reports that produce AESCSF-mappable cyber-hazard evidence — and drill the 12-hour and 72-hour reporting duties before they are ever real.

CIRMP Annual Report — Board-Approved Cyber Hazard Evidence
ACSC Reporting — 12-Hour / 72-Hour Two-Speed Clock
Part 3A Government-Assistance (Step-In) Rehearsed
AESCSF-Aligned Practice Evidence
Start Free — 14-Day Trial Talk to Our Australia Team
Compliance Note: CyberICS's exercise scenarios reference the SOCI Act, the CIRMP Rules, and AESCSF as part of a structured training and preparedness program. Exercising on this platform supports — but does not replace — the statutory board-approved CIRMP annual report and mandatory ACSC reporting, which require engagement with your board, legal counsel, and the Cyber and Infrastructure Security Centre. Consult qualified legal and compliance counsel for official determinations.
Applicability

Who Must Comply with the SOCI Act

The SOCI Act and CIRMP Rules apply to responsible entities for critical infrastructure assets across the regulated sectors. Exercise evidence underpins the cyber-hazard sections of the board-approved annual CIRMP report.

⚡ Responsible Entities for Critical Assets

Operators of critical electricity, water, gas, ports, and other in-scope assets must maintain a CIRMP addressing cyber, supply-chain, personnel, and physical hazards — with the cyber-hazard section evidenced by exercises.

💼 Boards & Executive Governance

The board must approve the annual CIRMP report each Australian financial year. Executives and board delegates must rehearse attesting with an incident open — testing governance honesty and evidence quality.

🛡️ Security, Legal & AESCSF Teams

Security, legal, and risk teams must exercise the two-speed ACSC reporting duty, Part 3A government-assistance mechanics, and map findings to AESCSF practice areas as CIRMP evidence.

Standards Alignment

SOCI / CIRMP Obligations — How CyberICS Maps to Each

The CIRMP hazard-management, ACSC reporting, and government-assistance obligations are the ones most directly addressed by tabletop exercises. The board-approved annual report and the response-exercise practice clock are tracked live.

SOCI / CIRMP Obligation Mapping Reference

Relevance: Direct = exercise explicitly required  |  Supporting = exercise validates controls  |  Scenario = scenario content covers the threat domain

Standard Title Key Requirement Addressed CyberICS Capability Relevance
CIRMP Report Annual CIRMP Report (Board-Approved) Submit a board-approved CIRMP annual report each Australian financial year, with cyber-hazard evidence. A formal annual exercise plus capstone board-attestation drill; AARs and readiness trend packaged as the cyber-hazard evidence appendix. Direct
s30BC/BD ACSC Incident Reporting (12h / 72h) Report critical-impact incidents to the ACSC within 12 hours, and other relevant incidents within 72 hours. Scenarios drill impact classification and the two-speed clock; in-exercise reporting timestamps captured in the compliance log. Direct
CIRMP Cyber Cyber & Information-Security Hazard Identify and mitigate cyber hazards to the critical asset; exercise the response. A formal, evaluated response exercise on a grid-control scenario with AESCSF-mapped findings for the report. Direct
SOCI Part 3A Government Assistance (Step-In) Powers Be prepared for information-gathering directions, action directions, and intervention requests during a serious incident. The step-in scenario rehearses receiving a direction, decision rights, legal posture, and cooperation mechanics before they are ever real. Scenario
CIRMP Supply Supply-Chain & Personnel Hazards Manage supply-chain and personnel hazard vectors — managed-provider compromise and trusted-insider misuse. Scenarios exercise third-party access revocation and the security/HR/legal insider sequence, captured as hazard-management evidence. Scenario
AESCSF AESCSF Practice-Area Maturity Demonstrate maturity across AESCSF practice areas as supporting evidence. Framework-tagged decision logs and the remediation tracker with verified closures map findings to AESCSF practice areas. Supporting
Platform Capabilities

How CyberICS Directly Supports SOCI / CIRMP Compliance

Three platform capabilities work together to produce board-approved cyber-hazard evidence and drill the ACSC reporting duties.

🎲
CIRMP Annual Evidence

Documented Exercise Execution

Live Session mode provides a structured, real-time exercise environment. Participants join by code, respond to scenario steps, and all activity is timestamped — creating an auditable exercise record.

  • Timestamped participant activity log
  • Step-by-step scenario walkthrough record
  • Host control bar with session metadata
  • Exercise duration and completion record
📋
CIRMP Annual Evidence

AI-Generated After Action Report

CyberICS's AI engine generates a structured AAR immediately after each exercise — documenting gaps identified, recommended corrective actions, and framework alignment.

  • Structured gap analysis with severity ratings
  • Framework reference per identified gap
  • Corrective action recommendations
  • Downloadable PDF in minutes, not days
📄
Audit Evidence Package

Compliance Evidence Export

The Compliance Dashboard generates per-framework evidence packages — a multi-page audit PDF covering exercise log, controls mapping, gap analysis, remediation timeline, and formal attestation page.

  • Exercise date, participants, and scenario record
  • Framework controls coverage map
  • Gap-to-remediation timeline
  • Attestation page for compliance files
Scenario Library

Australian Critical-Infrastructure Scenarios — Ready to Run

Six high-fidelity scenarios are immediately available, sequenced from foundational to advanced. Each exercises CIRMP hazard vectors and ACSC reporting across your OT, security, legal, and board teams.

Incident Reporting
The 12-Hour Clock — Critical-Impact Reporting

Ransomware disrupts a critical electricity asset at evening peak. Tests classifying "significant impact" (12-hour clock) versus otherwise-notifiable (72 hours), the ACSC report, and parallel AEMO/market notifications.

s30BC/BD 12h Clock Classification
Supply Chain
Managed-Provider Compromise

Your OT managed-services provider reports a breach; their engineers hold standing SCADA access. Tests safe third-party access re-establishment, materiality assessment, and CIRMP supply-chain hazard evidence.

CIRMP Supply Vendor Materiality
Government Assistance
Part 3A — The Step-In Scenario

A severe intrusion outpaces your response and the Minister's delegate signals possible Part 3A measures. Tests receiving an information-gathering direction, decision rights, and cooperation mechanics.

SOCI Part 3A Decision Rights Legal
Formal Exercise
Annual Response Exercise + AESCSF

A planned, evaluated exercise on a grid-control scenario — activation, isolation authorities, ACSC engagement, recovery. Findings map to AESCSF and package as this year's cyber-hazard evidence.

CIRMP Cyber AESCSF Governance
Insider Threat
Trusted Insider on the Control System

A control-room engineer under investigation retains critical-asset access; overnight logs show unauthorized config exports. Tests containing access without tipping off, and the security/HR/legal sequence.

CIRMP Personnel Insider HR/Legal
Board Governance
Board CIRMP Attestation Under Pressure

Weeks before the annual report, a moderate incident exposes a hazard-control marked effective. Tests how the report treats the open incident and what the attestation can honestly say.

CIRMP Report Attestation Board

Plus 59 additional scenarios across Energy, Water, Ports, Manufacturing, Healthcare, and more. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation — Every Exercise

Every CyberICS exercise automatically generates four categories of evidence that map directly to CIRMP and ACSC reporting documentation.

📋
After Action Report (AAR)

AI-generated structured PDF with gap analysis, corrective actions, and framework references. Ready within minutes of exercise completion.

CIRMP Annual Evidence
📈
Compliance Evidence Package

Multi-page per-framework audit PDF: exercise log, controls mapping, gap analysis, remediation timeline, and signed attestation page.

AESCSF Practice Areas
🕑
Session Activity Transcript

Timestamped record of all participant responses, host actions, and step progression. Demonstrates real exercise activity to auditors.

ACSC 12h/72h Log
🔗
Gap-to-Ticket Tracking

Gaps identified in the exercise are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail.

Remediation Evidence

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Build Your CIRMP Cyber-Hazard Evidence?

Start free with a 14-day trial — no credit card required. Or talk to our Australia team about CIRMP exercise programs feeding your board-approved annual report.

Also explore: ISO 27001 Toolkit  ·  IEC 62443 Toolkit  ·  NIST SP 800-82 Toolkit