cirmp AI
Book a walkthrough

cirmp AI · CIRMP compliance engine for SOCI Act 2018

For Australian critical infrastructure responsible entities

The board signs.
The pack signs itself.

Continuously assembled Critical Infrastructure Risk Management Program (CIRMP) packs for Australian critical infrastructure. Cited line by line. Signed by your CISO. Attested by your board.

New here? See the plain-English overview →

Illustrative pack · Energy entity

CIRMP attestation · Q3 FY26

Northern Water Authority
s.30AG annual attestation

p. 1 / 84

14 Mar 2026

4.2   Cyber and information security hazard

The responsible entity maintains a cyber security framework aligned to AESCSF[A] covering its operational technology estate. Identity controls enforce phishing-resistant MFA for all privileged access per Essential Eight ML2[B], evidenced by Microsoft Entra exports dated 11 Mar 2026[C]. Patch cadence for internet-facing services remains within 48 hours (CrowdStrike Falcon, March cycle)[D].

4.2.1   Material risks identified

  • Legacy SCADA at Mt Crawford. Vendor support to Dec 2027. Compensating control: segregated VLAN, OT firewall ruleset frozen.
  • Third-party SIEM access reduced from 7 to 2 named operators following Mar 4 review.
SHA-256 · 9f3c…b14e● sealed

AU-hosted

Data resident in Sydney and Melbourne

Reasoning trail

Every claim cites its source

Australian-owned

9t5 Pty Ltd team

Pre-release

Invite-only access

For SOCI Act 2018 responsible entitiesEnergy generationWater utilitiesFreight railPortsPublic hospitals (critical hospital asset class)Data centresFinancial market infrastructureDefence industryBroadcastingLiquid fuelsDNS operatorsGas distributionFor SOCI Act 2018 responsible entitiesEnergy generationWater utilitiesFreight railPortsPublic hospitals (critical hospital asset class)Data centresFinancial market infrastructureDefence industryBroadcastingLiquid fuelsDNS operatorsGas distribution

The annual scramble

The board attests every year. The evidence is still assembled by hand.

s.30AC of the SOCI Act requires every responsible entity to maintain a written CIRMP across four hazard domains. The board signs the s.30AG attestation ninety days after financial year end. Today that pack is scrambled together. Spreadsheets, SharePoint folders, vendor exports, a consultancy retainer. Where OT meets IT GRC is where audit defensibility goes to die.

$40k to $150k

Annual CIRMP cycle cost for a Tier 2 or Tier 3 responsible entity. Same scramble next year.

KPMG Australia 2024 · Industry interviews

11

Critical-infrastructure incidents per month against Australian assets in FY24-25.

ASD Cyber Threat Report 2025

15%

of Commonwealth entities reached Essential Eight ML2 in 2024. Down from 25%.

ASD Posture Report 2024

How it works

Three steps. Same engine every quarter.

The pack is no longer a project. It is a continuously assembled artefact your CISO signs off and the board attests to.

How cirmp AI turns the tool exports you already produce into a board-signed CIRMP pack.

01

Bring in

The exports your security and IT tools already produce. Dragos, Claroty, Microsoft Sentinel, CrowdStrike Falcon, ServiceNow IRM, Workday. No agents to install.

Ingest · existing telemetry

02● the engine

Assemble

The engine is being built to draft the four-hazard report. Every line cites its source artefact. Reasoning trail viewable offline by the regulator.

Continuous · four hazards

03

Sign

Your CISO reviews and signs. Board signs the s.30AG attestation. SHA-256 sealed. Cited offline-verifiable.

Attest · s.30AG

Tour the product

What you walk away with

What's in the pack.

One signed PDF. Four hazards. A reasoning trail your regulator can verify offline.

Four hazard domains. Cyber and information security. Personnel. Supply chain. Physical and natural.

● Illustrative · pre-release preview

Illustrative pack · Energy entity

CIRMP attestation · Q3 FY26

Northern Water Authority
s.30AG annual attestation

p. 1 / 84

14 Mar 2026

4.2   Cyber and information security hazard

The responsible entity maintains a cyber security framework aligned to AESCSF[A] covering its operational technology estate. Identity controls enforce phishing-resistant MFA for all privileged access per Essential Eight ML2[B], evidenced by Microsoft Entra exports dated 11 Mar 2026[C]. Patch cadence for internet-facing services remains within 48 hours (CrowdStrike Falcon, March cycle)[D].

4.2.1   Material risks identified

  • Legacy SCADA at Mt Crawford. Vendor support to Dec 2027. Compensating control: segregated VLAN, OT firewall ruleset frozen.
  • Third-party SIEM access reduced from 7 to 2 named operators following Mar 4 review.
SHA-256 · 9f3c…b14e● sealed

Reasoning trail · 4 citations

A

AESCSF framework mapping

aescsf-v2-mapping.xlsx

IDM 02:14

B

Entra ID. MFA policy

entra-export-2026-03-11.json

IDM 02:21

C

Entra ID. Privileged users

priv-users-2026-03-11.csv

IDM 02:21

D

CrowdStrike Falcon. March cycle

falcon_posture_export_apr_2026.csv

IDM 02:28

offline-verifiableview all 271 →

Signed PDF

One pack the board attests to. SHA-256 sealed, time-stamped, offline-verifiable.

Four hazards

Cyber. Personnel. Supply chain. Physical and natural. Covered by default.

Reasoning trail

Every claim cites the control it answers and the rationale it was assessed on.

Sovereign

Being built to be AU-hosted and AU-owned. Your data never leaves the country.

Why you can trust the pack

Built to be checked, not taken on faith.

A compliance pack is only worth as much as your ability to defend it. We build the pack so a reviewer can trace every line back to where it came from.

Every claim carries a reasoning trail

Each control statement links back to the control it answers and the rationale it was assessed on. You can follow the working, not just read the conclusion.

People own the legal wording

The statutory attestation and penalty wording is fixed by people, not generated by the model. The board approves the pack and the entity signs it.

Assurance-ready by design

The pack is built so an independent reviewer can verify our working line by line. SHA-256 sealed and offline-verifiable, so the check does not depend on us.

Free · No login

See your CIRMP gaps in minutes.

A free, vendor-neutral self-check against the SOCI Act four-hazard requirements. No account. No payment wall. You get a gap snapshot you can take to your board.

Check your gaps

§ 30AC / § 30AG obligations

Failing to give the board-approved s.30AG annual report is a civil penalty of 150 penalty units. Maintaining the CIRMP itself (s.30AC) carries 200. A false or misleading report is a separate criminal offence. The board signs it. The entity is liable.

SOCI Act 2018. s.30AG, civil penalty provisions.

s.30AG is the annual board-approved reporting requirement under the SOCI Act 2018, a 150 penalty unit civil penalty if it is not met. s.30AC is the obligation to maintain a written CIRMP, 200 penalty units. Knowingly giving false or misleading information is dealt with under the Criminal Code, not as a SOCI civil penalty.

The selection rule

Different entities need different frameworks. cirmp AI is being built to pick the right one.

CIRMP is the report. It does not tell you which cyber framework to use as the spine. The Rules name five accepted frameworks. We apply a simple rule, sector by sector, then evidence against it.

Rule 01 · OT

For OT it's AESCSF or NIST CSF. Sector decides which.

Rule 02 · IT

For IT it's Essential Eight or ISO 27001. Often both.

Rule 03 · Hybrid

Most entities need an OT pillar and an IT pillar. Run in parallel.

Framework selector · by asset classPick the row that matches your environment.

Energy with OT

Electricity, gas, liquid fuels.

Framework →AESCSF, applicable profile by asset class

Non-energy with OT

Water, ports, freight rail, defence industry, and critical hospital asset class. Entity selects the cyber security framework from the five named in CIRMP Rules s.8(4); IEC 62443 layered on top for the OT estate at the entity's option.

Framework →NIST CSF (+ IEC 62443 for OT layer)

IT-dominant

Data centres, financial market infra, broadcasting, DNS, corporate-only assets.

Framework →Essential Eight ML1+ or ISO 27001

Hybrid estate

Most large CI entities.

Framework →Both pillars in parallel

Footnote ·CIRMP Rules 2023, section 8(4) names five accepted cyber security frameworks: AS ISO/IEC 27001, the Essential Eight Maturity Model, NIST CSF, US DOE C2M2 and AESCSF. Responsible entities choose the one that fits their asset class.

Pricing

Continuous engagement.
Not a one-off audit.

Two parts. Implementation up front. Then four cycles a year, engine always on.

Talk to us about pricing

One-off · Implementation

Get cirmp AI live in your environment.

Secure-cloud deployment in your tenancy. Connector mapping for your existing OT and IT tooling. Asset-class customisation.

Ongoing · Quarterly

Four cycles a year. Engine always on.

Four CIRMP cycles a year, fully assembled and signed. Engine runs continuously between cycles.

The next cycle

Twenty minutes.
See it assemble itself.

See a sample CIRMP pack assembled live from real-world exports.

Book a walkthrough See the live demo