Who SOCI applies to
The SOCI Act covers responsible entities for critical infrastructure assets across 11 sectors — energy (electricity, gas, liquid fuel), water and sewerage, communications, financial services and markets, healthcare and medical, food and grocery, transport, defence industry, space, higher education and research, and data storage or processing. The data-storage-or-processing sector is broad and catches many cloud and managed-service providers.
The Risk Management Program (CIRMP)
Designated entities must maintain a Critical Infrastructure Risk Management Program covering cyber and information security, personnel security, supply chain security, and physical and natural hazards. The cyber component requires a recognised framework — Essential Eight, ISO 27001, NIST CSF, or an entity-specific framework approved by the regulator. Annual board attestation is required.
How Microsoft 365 fits
Microsoft 365 is a recognised supporting platform for the cyber component of the CIRMP when configured to Essential Eight ML2 or higher. The control mapping covers identity (Entra), endpoint (Defender + Intune), data protection (Purview), threat detection (Sentinel), and supply chain visibility (Microsoft's published SOC 2 and IRAP attestations). For data storage / processing entities, Microsoft 365 service coverage typically forms part of the customer's CIRMP scope.
Reporting obligations
Cyber incident reporting is mandatory: critical incidents within 12 hours, other incidents within 72 hours, to the Australian Signals Directorate via the CISC. Microsoft Sentinel + Defender XDR provide the incident timeline evidence the regulator typically asks for; Frontrow's tenant runbook templates pre-bake the reporting workflow into the incident response playbook.