The Evolution of SOCI & November 2024 amendments

SOCI & Other Legislation Amendments – (Enhanced Response & Prevention) Bill 2024​

At the end of 2024, Australia's Home Affairs Cyber and Infrastructure Security Centre (CISC), announced the following amendments to the SOCI Act as part of the enhanced response and prevention Bill 2024. Changes to the SOCI Act will:​

1. Include secondary assets who hold business critical data relating to the primary asset​

2. Amend Part 2A to enable Government to assist as a last resort to manage the consequences of serious all-hazards incidents impacting critical infrastructure​

3. Enable intra-government sharing of protected information and cross-​
   industry collaboration​

4. Provide a directions power for the Secretary or the relevant Commonwealth regulator ​
   for seriously deficient Risk Management Programs​

5. Integrate elements of the Telecommunications Sector Security Reforms into the SOCI Act​

6. Amend Part 6A to strengthen the integrity of information in respect of an asset that ​
   is or becomes a System of National Significance (SONS)

SOCI Compliance activities – Formal Audit Program ​commenced November 2024​

In November 2024, Australia's CISC, announced the following:​

1. Trial audits have been completed and summary of trial audit findings were presented.​

2. The CISC has a 2025 audit program established. This includes defining and ​
   contacting all organisations who will be audited in this year's program.​

3. What the audit questions will be has not been released publicly, however those ​
   who are being audited have received a list of insights.

4. Upcoming changes include more information sharing for SONS, and the ​
   announcement to integrate the Telecoms Sector Security Reforms.

Rules for Cyber Security Legislative Package has received Royal Assent – 16 Dec 2024​

New rules have come into effect under the Cyber Security Legislative Package. The consultation period of proposed rules is running until 14th of February 2025. See the proposed changes at the CISC website, which include Security Standards for smart devices, Ransomware reporting, cyber incident review board & Data Storage systems rules.

The CISC has announced their audit program will commence from November 2024. Organisations subject to audit will have received a notification. Even if not selected for audit yet, organisation should continue to assess the available evidence to demonstrate compliance. The following steps can assist you to prepare and integrate resilience into daily operations:

01. Reviewing SOCI Act requirements

Regularly refresh Risk and Compliance personnel with SOCI Act requirements and guidelines, to enable these individuals and teams to support the uplift of organisational SOCI compliance capability. This should be performed with consideration of critical infrastructure recently acquired or divested.

02. Defining Business As Usual accountabilities

Designate a dedicated person or a cross-functional team to oversee and monitor SOCI Act compliance efforts and to act as a point of contact for compliance audit activities. This typically sits within existing compliance teams. Ensure this person and/or team has adequate resources and capability to perform these tasks, and overall visibility of various SOCI related activities to keep the relevant stakeholders informed and the organisation ready for internal and external compliance reviews.

03. Review availability and auditability of key records

Processes, policies and procedures need to remain current as it relates to existing and emerging SOCI requirements. Where updates are required enable effective implementation in both policy and in practice. ​

For each aspect of your Critical Infrastructure Risk Management Program (CIRMP) ensure that evidence to support the execution of key activities and/or controls is retained, clearly demonstrates compliance with the requirements/commitments when reviewed by an independent person and can be provided in a timely manner.

04. Continuous Awareness and Education

Provide regular refresher training for involved teams and broader business units on SOCI Act requirements as well as the importance of resilience and continuous compliance.

05. Conduct self-assessments ahead of the CISC compliance activities

Periodically perform an assessment of your current compliance with SOCI Act requirements and identify any gaps or areas needing improvement through your existing risk teams and/or three lines of defense. Establish a Program to remediate identified gaps.