Compliance & Legislation | Operational resilience

June 30, 2025

Organisations subject to Australia’s Security of Critical Infrastructure Act 2018 (SOCI) face a tough challenge: how to meet strict cyber incident reporting timelines while juggling a mix of governance frameworks, operational pressures, and technical controls.

While the SOCI legislation enables organisations to choose from a range of cyber security frameworks to meet their obligations—such as ISO/IEC 27001 and NIST CSF, the real question is:

Can some of these frameworks alone meet some of SOCI’s tight incident reporting timeframes, particularly for those that cause ‘relevant impact’?

SOCI Compliance: A Real-Time Problem

SOCI-mandates incident reporting deadlines as follows:

  • 12 hours if a cyber incident has a significant impact on a critical infrastructure asset
  • 72 hours for incidents with a relevant impact
  • 84 hours for follow-up detailed reporting if a verbal report is made (or 48 hours for incidents with a relevant impact)

Additionally, organisations designated as responsible entities for critical infrastructure assets also need to maintain and comply with a Critical Infrastructure Risk Management Program (CIRMP) to demonstrate their proactive hazard risk management capabilities, including cyber security.

The problem is that, while traditional ISMS-style frameworks work well for governance and long-term cyber security strategy, they lack the real-time visibility needed to detect and report threats in the timeframes required by SOCI.

That’s where the ACSC Essential Eight (E8) can help.

Why the Essential Eight Matters

Unlike comprehensive ISMS frameworks that focus on policy, governance and documentation, the ACSC Essential Eight delivers a practical, technical baseline of critical security controls. These controls are measurable, automatable, and map directly to your cyber threat posture—making them ideal for operationalising CIRMP mitigation requirements.

FactorISMS-Only ApproachWith Essential Eight Integration
Detection & MonitoringPeriodic, policy-ledContinuous, control-state visibility
Incident ResponseAudit frequency dependentNear real-time detection and escalation
Reporting AlignmentDifficult to meet timelinesSupports automated reporting triggers
Evidence for CIRMPManual and indirectAuditable, metrics-driven outputs
Regulator FamiliarityRequires justificationRecognised by ACSC & CISC

A Hybrid Model: ISMS AND Essential Eight

The most effective approach isn’t to choose one over the other—it’s to combine governance frameworks like ISO 27001 with data-driven technical overlays using the ACSC Essential Eight.

This hybrid model enables:

  • Broad strategic oversight
  • Tactical enforcement via Essential Eight-aligned technical controls
  • Clear documentation for CIRMP reporting
  • Prompt, effective response to cyber incidents and regulator expectations

How Huntsman Security’s Scorecard Accelerates SOCI Compliance

Meeting SOCI requirements isn’t just about frameworks—it’s about having the right tooling in place to monitor, measure, and report the effectiveness of your risk management efforts that support your cyber resilience.

The Huntsman Security Scorecard was specifically developed to address this challenge.

Key Benefits of the Scorecard:

SOCI ObligationHow Scorecard Helps
12–72 hour reportingAlerts triggered by a degradation of control effectiveness
CIRMP evidenceAutomated evidence-based reporting of current control maturity
Executive/Board attestationEasy-to-understand dashboards to inform governance processes
Framework mappingSupports Essential Eight alignment even when using ISO/NIST as primary frameworks

Bonus: The Scorecard integrates with existing SIEM and SOC environments, to make them efficient and cost-effective.

Strategic Takeaway for Security Leaders

Compliance with SOCI isn’t just a checkbox exercise—it’s an ongoing race to protect your enterprise against security incidents or disruption. Traditional frameworks give you the map, but Essential Eight gives you the vehicle.

Final Recommendations:

  • Adopt a hybrid framework strategy: pair ISO 27001 or NIST CSF with the Essential Eight.
  • Implement control monitoring tools: use the Huntsman Essential 8 Scorecard to provide continuous real-time visibility and mitigation reporting.
  • Embed Essential Eight into your CIRMP: ensure your risk management practices explicitly connect the Essential Eight controls to cyber security hazards and mitigations obligations.

The Essential Eight is more than just guidance—it’s a practical enabler of SOCI cyber resilience.

For critical infrastructure providers, integrating the ACSC Essential Eight and leveraging platforms like the Huntsman Scorecard into their CIRMP provides a clear, auditable path to meeting SOCI’s incident reporting and compliance demands—while at the same time informing dynamic risk management and board-level oversight.

In a world of evolving threats and tightening regulations, that’s not just good governance—it’s business as usual.

BLOG POSTS

Related Cybersecurity Content

Think about your cyber security transformation

May 5, 2025

More cyber security breaches, this time in the finance, judicial and most recently the superannuation sectors. There have been ongoing warnings from ASIC and other regulators for organisations to prioritise their cyber resilience management. ASIC even repeated in Nov 2024, that poor cyber security protection that threatened consumer data was an enforcement priority for them […]

Read more

In 2025 we predict: The disruption in the SIEM market will lead to adjustments in cyber security strategy

February 17, 2025

20 years ago, there was widespread adoption of traditional Security Information and Event Management (SIEM) solutions. Its proven capabilities have meant SIEM is now an integral part of the security stack for most organisations. The SIEM market has since evolved, with an expansive range of functionality now available to meet customers’ needs. Next-Gen SIEMs, the […]

Read more

Operational resilience deadlines loom

February 3, 2025

Operational Resilience (OpRes) has been in the news a lot over the last few years. Advisories, white papers and conferences have all addressed the importance of cyber security resilience and its role in protecting the ongoing operations of enterprise. With almost every business function, in some way, reliant on your IT assets and data the […]

Read more

Cyber security observations from 2024 – we’re still rolling-the-dice

January 22, 2025

In 2024, we saw real progress with cyber security being recognised as a factor in organisational resilience. Senior executives and directors became increasingly aware of the need for its oversight. Yet, as we look in the rear-vision mirror back to 2024, we see organisations continuing to roll-the-dice when it comes to cyber security. As we […]

Read more

In 2025 we predict: A growing adoption of threat exposure management in large and small organisations

January 13, 2025

The effective management of cyber security is an increasing priority for organisations everywhere. For those familiar with risk management principles, cyber security is more than another operational risk to be dealt with. Meanwhile, for those with less cyber security awareness, the discipline of rules-based risk management frameworks and checklists will support the management process. The […]

Read more

Cyber Security Predictions for 2025

November 15, 2024

Access Huntsman Security’s report to learn about the five areas that we anticipate will have a noteworthy impact on the cyber security landscape in 2025 and beyond.

Read more

Challenges in Cyber Security Auditing

September 2, 2024

Cyber security risks to businesses continue with a growing number of more skilled, well-funded, state-backed, and motivated attackers. The IMF reports that the costs of worst-case breaches have jumped four-fold to USD$2.5bn. Boards are undergoing legal and regulatory pressure to safeguard data, privacy and business resilience. This is most acute in finance, critical infrastructure and […]

Read more

Essential Eight – what’s next?

August 23, 2024

Completing an E8 risk assessment ticks some important boxes. It provides the security team, and hopefully business leadership, information about the state of the organisation’s security controls and posture, which helps them fulfill their increasing IT security reporting obligations.

Read more

CRITICAL INFRASTRUCTURE: The Changing Landscape

July 30, 2024

No doubt continuous improvement motivates your organisation, and the new perspectives on cyber and operational risk management are part of your strategic objectives – requiring an ever-evolving posture to deal with changing risks and the environment.

Read more

The shift to zero-trust is important, but it’s not the end of the story

June 28, 2024

The intent and principles of zero-trust are compelling, but what’s important is that even when zero-trust principles are in place, threat detection and even preventative security shouldn’t be forgotten.

Read more

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.

Marketing(Required)
Agree(Required)