By 28 September 2025 the boards of many of Australia's Critical Infrastructure entities must attest to the effectiveness of their risk management practices. The obligation requires that entities review their risk management practices for how they went over the year, inluding how they enabled the entity to identify, manage and respond to any incidents, and importantly how they feel the practices will support the organisation in the forward looking year.
It is important that entities begin preparation for this attestation now, including ‘critical asset operations’ and changes to their risk environment, and the design and operating effectiveness of their Critical Infrastructure Risk Management Program (CIRMP) as a bare minimum. Importantly, the engagement of the Board early on will support their understanding of the attestation and the underpinning process, while driving improvement organisational risk, resilience and compliance outcomes. This will also help directors fullfil their professional duties and reduce the likelihood of delay in your attestation process.
Connect with our SOCI experts to ensure your organisation achieves resilience and compliance.
We've developed checklists, practical approaches and timeline to clarify what needs to be in place before your next attestation date—whether under Risk Management Program (RMP) rules or Enhanced Cybersecurity Obligations (ECO). Our tailored solutions span penetration testing, business continuity planning, and risk management alignment to help you meet compliance requirements efficiently.
Successful programs of compliance focus on stakeholder mapping and engagement – often using executive sponsorship to drive change. Download our table to help you positive obligations and identify common stakeholders.
View Stakeholder Mapping