Critical Infrastructure Risk Management Program (CIRMP) Rules 2023
Made under Part 2A of the Security of Critical Infrastructure Act 2018, the Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 require responsible entities to develop, implement and maintain a risk management program that addresses cyber security, personnel security, supply chain security, physical security and other hazards. Entities must also report their risk management program and any significant incidents to the Australian Government in accordance with the Act.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (6)
CIRMP: Application and Material Risk
| Code | Title |
|---|---|
| CIRMP-s5 | Application to designated critical infrastructure asset classes |
| CIRMP-s6 | Identification of material risks |
| CIRMP-s7 | General requirement - minimise, eliminate and mitigate all hazards |
CIRMP: Cyber and Information Security Hazards
| Code | Title |
|---|---|
| CIRMP-s8 | Cyber and information security hazard management |
| CIRMP-s8-FW | Adoption of a recognised cyber security framework |
CIRMP: Governance and Reporting
| Code | Title |
|---|---|
| CIRMP-GOV-ADOPT | Adoption and board approval of the CIRMP |
| CIRMP-GOV-REPORT | Annual report to the Commonwealth regulator |
| CIRMP-GOV-REVIEW | Annual review and currency of the CIRMP |
CIRMP: Personnel Hazards
| Code | Title |
|---|---|
| CIRMP-s9 | Personnel hazard management |
CIRMP: Physical Security and Natural Hazards
| Code | Title |
|---|---|
| CIRMP-s11 | Physical security and natural hazard management |
CIRMP: Supply Chain Hazards
| Code | Title |
|---|---|
| CIRMP-s10 | Supply chain hazard management |
Your Compliance Coverage
If you comply with Critical Infrastructure Risk Management Program (CIRMP) Rules 2023, you already cover:
Maps to 4 other frameworks
Frequently Asked Questions
What is Critical Infrastructure Risk Management Program (CIRMP) Rules 2023?
Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 is a compliance framework from Australia with 6 domains and 11 controls. Made under Part 2A of the Security of Critical Infrastructure Act 2018, the Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 require responsible entities to develop, implement and maintain a risk management program that addresses cyber security, personnel security, supply chain security, physical security and other hazards. Entities must also report their risk management program and any significant incidents to the Australian Government in accordance with the Act. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 have?
Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 has 11 controls organised across 6 domains. The largest domains are CIRMP: Application and Material Risk (3 controls), CIRMP: Governance and Reporting (3 controls), CIRMP: Cyber and Information Security Hazards (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 map to?
Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 maps to 4 other compliance frameworks. The top mapping partners are ISO 27001:2022 (45% coverage), NIST Cybersecurity Framework 2.0 (45% coverage), Cyber Security Act 2024 (Australia) (18% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 compliance?
Start your Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Critical Infrastructure Risk Management Program (CIRMP) Rules 2023 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 11 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required