The Security of Critical Infrastructure Act 2018, expanded by the Security Legislation Amendment (Critical Infrastructure) Act 2021 and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, covers a broader set of Australian organisations than most realise. The original 2018 Act covered a small set of designated critical infrastructure assets. The 2021 and 2022 amendments expanded coverage to eleven sectors: communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage.
If your organisation is in any of these sectors and operates an asset above the relevant threshold, you are likely covered. The Act imposes obligations including a register, a risk management program, mandatory cyber incident reporting, and (for designated higher-criticality assets) cybersecurity uplift requirements. Penalties for non-compliance are substantial.
What follows is the plain-English operational guide for what the Act expects in Microsoft 365 terms — written for the IT lead and the operations director, not the general counsel. The legal interpretation of the Act sits with your privacy and security counsel. The operational implementation is what this article covers.
What the Act requires (in operations terms)
1. A register of critical infrastructure assets
Every responsible entity must maintain a register of its critical infrastructure assets and provide it to the Department of Home Affairs. In M365 terms, this is a documented inventory: which assets, which workloads run them, where the data sits, who has administrative access. Sounds basic. Most organisations don't have this in a form the regulator will accept.
2. A risk management program
Designated entities must establish, maintain and comply with a Critical Infrastructure Risk Management Program (CIRMP). The program must address four hazard categories: cyber and information security; personnel; supply chain; and physical and natural. The cyber and information security hazard component is where M365 controls map.
The cyber component of the CIRMP requires the entity to identify and manage material risks from cyber and information security hazards. Translated to M365: identity controls (MFA, Conditional Access, PIM), data protection (sensitivity labels, DLP, encryption), endpoint protection (Defender for Endpoint, Intune compliance), monitoring and detection (Defender XDR, Sentinel), and incident response (runbooks, tabletop). The Frontrow Essential Eight Microsoft 365 implementation map covers most of this.
3. Cyber incident reporting
Mandatory cyber incident reporting to the Australian Signals Directorate via the Australian Cyber Security Centre. Critical incidents (significant impact on availability) must be reported within 12 hours. Other incidents within 72 hours. The clock is short and includes initial notification with the information available at the time, followed by ongoing updates.
In M365 terms: detection capability that can identify a critical incident in time to meet the 12-hour clock; named ownership of the reporting process; pre-built ASD ReportCyber form mapping; legal review pre-arranged. The same detection and response capability the NDB scheme requires, plus the SOCI-specific reporting flow on top.
4. Cybersecurity uplift (for systems of national significance)
A subset of designated assets are declared 'systems of national significance' and subject to additional obligations including the ability for the Minister to direct the entity to deploy specific cybersecurity controls. In practice this is a small subset — but for those entities, the bar is materially higher and includes ASD-graded cyber uplift programs with specific Microsoft 365 implementations.
What this means for AU mid-market
Most mid-market organisations covered by SOCI are in the data storage and processing, food and grocery, transport, water, and higher education sectors — sectors where the threshold for coverage catches more organisations than the Act's headline 'critical infrastructure' framing suggests. A 200-employee water utility is covered. A regional grain handler is covered. A specialist medical practice running its own infrastructure is covered.
Compliance is not optional and the implementation is not exotic. The required controls are largely ones the organisation should already be deploying for Essential Eight and Privacy Act 2026 reasons. The SOCI-specific additions are the register, the documented CIRMP, the incident reporting flow, and the formal compliance attestation.
The M365 implementation map
Identity (CIRMP cyber component)
MFA on all users, phishing-resistant MFA on privileged roles, Conditional Access policy set covering legacy auth block, device compliance, sign-in risk and admin restrictions. Privileged Identity Management (PIM) for just-in-time admin role activation. Workload identity governance per the Workload Identity Risk Check.
Data protection (CIRMP cyber component)
Sensitivity labels with encryption on critical data categories, container labels on sites holding critical data, DLP in enforcing mode covering Exchange / SharePoint / OneDrive / Teams, auto-labelling for built-in sensitive information types, retention policies aligned to record-keeping obligations.
Endpoint and infrastructure (CIRMP cyber component)
Microsoft Intune device compliance enforcement, Defender for Endpoint with full visibility, Defender for Cloud Apps for SaaS oversight, Microsoft Sentinel for log aggregation and SIEM. Patch cadence aligned to Essential Eight ML2 (48-hour internet-facing applications, 14-day other applications).
Detection and response (CIRMP cyber component + incident reporting)
Defender XDR with alerts tuned for the SOCI-relevant attack patterns (credential abuse, supply-chain compromise, OT-adjacent intrusions for sectors like energy and water). 24/7 escalation. Documented incident response runbook including ASD ReportCyber submission flow. Annual tabletop based on the latest ASD-published threat actor TTP.
Supply chain (CIRMP supply chain hazard)
Vendor risk assessment for every M365 third-party app and Marketplace integration. Workload identity governance (the same Workload Identity Risk Check) applies because supply-chain attacks now pivot through OAuth-consented apps. Microsoft Purview Insider Risk Management for personnel hazard component overlap.
How to think about scope
The implementation map above is largely the same control set that Essential Eight ML2 and Privacy Act 2026 require. The work is not duplicative — implement once, use the same evidence to satisfy three compliance regimes. The SOCI-specific additions are the register, the CIRMP document, the incident reporting flow, and the attestation cycle.
For most AU mid-market organisations covered by SOCI, the right approach is: confirm coverage with privacy counsel, baseline the cyber controls against the Essential Eight Microsoft 365 implementation map, build the CIRMP document on top of that baseline, document the register and the incident reporting flow, and run an annual tabletop exercise that satisfies SOCI, Essential Eight and Privacy Act 2026 in one rehearsal.
Try it
Score your Essential Eight posture (the cyber backbone of SOCI compliance)
The Essential Eight Readiness tool maps each strategy to Microsoft 365 tooling and produces a board-grade PDF.
Score each of the 8 strategies
Where are you on the Essential Eight — honestly?
Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.
What's your target Maturity Level?
Maturity Level 2 — most orgs' pragmatic target
- 01
Application control
Only approved applications can execute on workstations and servers.
- 02
Patch applications
Internet-facing apps, browsers, Office, PDF readers patched promptly.
- 03
Microsoft Office macros
Macros disabled unless from trusted locations and signed by a trusted publisher.
- 04
User application hardening
Web browsers and productivity apps hardened against the most common attacks.
- 05
Restrict administrative privileges
Admin accounts limited, separated and reviewed — the crown jewels of the tenant.
- 06
Patch operating systems
Operating system patches applied on a schedule that matches the risk.
- 07
Multi-factor authentication
MFA everywhere that matters — privileged accounts, remote access, important data.
- 08
Regular backups
Backups of important data, configuration and software — and restores you have actually tested.
How Frontrow runs this as a managed service
The Frontrow Managed Identity & Information Protection program covers the cyber and information security hazard component of the CIRMP as a continuous quarterly cycle. The cyber controls are deployed and evidenced. Incident reporting runbooks are tested annually with a tabletop. The output is a quarterly attestation pack that satisfies the SOCI evidentiary requirement, the Privacy Act 2026 reasonable-steps requirement, and the Essential Eight reporting requirement in one document.
If your organisation is covered by SOCI and the cyber component of the CIRMP is currently a Word document that hasn't been updated since 2022, that's the engagement. Email Frontrow at info@frontrow.email.