Flat OT/IT topology
No IEC 62443 zone-and-conduit segmentation between the SCADA/supervisory layer (Purdue Level 3) and the corporate domain. Dragos or Claroty asset export shows the same VLAN end to end.
Cyber and information security
The digital systems that run the asset.
Vendor remote access without PAM, MFA or session recording
Persistent jump-host accounts in the IT GRC export, no break-glass workflow for emergency vendor access, no session video tied to a change ticket.
Backups present, integrity untested
Last backup restore test in the BCM (Business Continuity Management) register older than twelve months. Often absent. Essential Eight ML3 requires tested restoration as part of business continuity exercises. The export says it has not happened.
Personnel
The trusted insiders who can disrupt the asset.
Critical-worker register undefined
HRIS export shows OT operators and admins, but no documented criteria identifying which roles meet the critical worker criteria under the CIRMP Rules 2023 personnel hazard obligations.
Joiner-mover-leaver gaps on privileged access
Active Directory shows accounts of leavers with lastLogon after termination date. Movers still hold old role groups.
No periodic privileged-access recertification
The IT GRC export carries no attested access review of OT or domain admin entitlements in the past quarter. Essential Eight ML2 requires quarterly recertification of privileged accounts.
Supply chain
The vendors and dependencies the asset rests on.
Material supplier register without FOCI assessment
Vendor list ingested, but no recorded assessment of foreign ownership, control or influence. The CIRMP supply chain hazard obligations require consideration of risks from suppliers, and FOCI is a material risk factor.
OT firmware updates without provenance verification
No firmware SBOM (Software Bill of Materials), no vendor-signed update channel, no hash check at install. The CMDB shows firmware versions but no provenance record.
No contractual right to audit on material OT suppliers
Procurement export carries the contract list. Review shows audit, security incident notification and exit clauses missing or weak.
Physical and natural
The buildings, sites and weather the asset sits in.
Single-site dependency for a critical asset
Asset register shows no documented failover site, no tested DR runbook, no RTO/RPO validated against the last DR exercise.
Natural-hazard exposure not mapped to the asset register
No flood-zone, bushfire-rating or seismic overlay attached to the site list, no Bureau of Meteorology hazard tier per facility.
Physical access logs not tied to identity
Card-reader logs reference badge IDs only. No link to HRIS for joiner-mover-leaver alignment, no escort policy enforcement evidence for visitors at the control room.
Every gap above is observable from artefacts you already produce. cirmp AI is being built to read them, name the gap, cite the obligation, and give you a board-grade fix list before the regulator does.