Robbie Cronin|

ASD Cyber Security PartnerAISA Member|

SOCI Act compliance sorted.
From $6K.

The Security of Critical Infrastructure Act 2018 requires cyber security incident reporting, risk management programs, and asset registration across 11 critical infrastructure sectors. Full gap analysis of your obligations in 1-2 weeks.

Education-first enforcement ended January 2026

Book a free scoping call Or check your score first

Guarantee: Under 3 critical gaps found? You don't pay.

// real results

What happens when you have the right engineer.

“You can see the difference of having a proper CTO knowing what they're doing. It's great to see you progressing this much.”
Lead auditor, ISO 27001:2022 surveillance audit
Health technology company. 2 major non-conformities resolved to zero. 16 minor reduced to 2. Full compliance rebuild in 2 weeks. Certification maintained.

Major non-conformities

Weeks to deliver

Findings resolved

$30K+

Re-cert costs avoided

Sound familiar?

Mandatory incident reporting

Significant cyber incidents must be reported within 12 hours, relevant impacts within 72 hours. If you don’t have an incident response plan that meets these timelines, you’re already non-compliant.

Risk management programs required

Critical infrastructure operators must maintain risk management programs across four domains: cyber security, personnel, supply chain, and physical security. Annual reporting is mandatory.

Penalties are real

Non-compliance with SOCI Act obligations carries civil penalties. Ransomware payments must be reported within 72 hours. The education-first enforcement period ended January 2026.

Not sure where your gaps are?

Free 3-minute scorecard. Covers controls mapped to SOCI Act obligations.

Take the scorecard

// what you get

SOCI Act Compliance Assessment

All four CIRMP domains reviewed in one engagement. Incident reporting, asset registration, supply chain risk. Written so your board can actually read it.

SOCI Act obligations mapping for your sector

Cyber security risk management program review

Incident response plan assessment (12h/72h reporting)

Supply chain risk assessment

Critical infrastructure asset register review

Board-ready compliance report with remediation roadmap

Included if relevant to your business:

Essential Eight maturity baseline (ML2)

Privacy Act compliance check

Cyber insurance readiness review

Typical Big 4 engagement

$50,000+

Your price

$6K-$8K

Delivered in 1-2 weeks. Not 6-8.

Under 3 critical gaps found? You don't pay.

Zero risk. I've never had to honour this.

// how it works

Three steps. No surprises.

Free scorecard

2 minutes. See where your organisation stands against SOCI Act requirements. No email needed.

Take the scorecard

Deep assessment

1-2 weeks, fixed price. I review your CIRMP, incident response plans, asset register, and supply chain arrangements against SOCI Act obligations.

Board-ready report

Compliance report with prioritised remediation plan. Written for your board, not just your IT team.

// who this is for

If the SOCI Act applies to you, this is for you.

Critical infrastructure operators

You operate in one of the 11 SOCI sectors: communications, data storage, defence, energy, financial services, food, healthcare, higher education, space, transport, or water.

Systems of National Significance

Your systems have been designated as nationally significant. Enhanced cyber security obligations apply, including incident response planning and vulnerability assessments.

Board members and executives

Directors have personal accountability for risk management programs. You need visibility into your organisation’s SOCI compliance posture.

Supply chain to critical infrastructure

Your customers are critical infrastructure operators. Their SOCI obligations flow through to you as a supplier.

// why me and not a consultancy

One engineer. Not a sales team.

I'm a senior software engineer with 10+ years in platform infrastructure. CNCF maintainer. ASD Cyber Security Partner. I do the assessment myself. No juniors, no handoffs, no 200-page report written by a graduate who's never seen production code.

You talk to me, I do the work, I write the report. That's why it costs $6K instead of $50K.

Ex-Big TechCNCF MaintainerASD PartnerMelbourne

// questions

Common questions

Which sectors does the SOCI Act cover?

11 sectors: communications, data storage and processing, defence industry, energy, financial services and markets, food and grocery, healthcare and medical, higher education and research, space technology, transport, and water and sewerage.

What are the reporting timelines?

Significant cyber security incidents must be reported to the ASD within 12 hours. Other relevant impacts within 72 hours. Ransomware payments must be reported within 72 hours regardless of impact severity.

What is a Critical Infrastructure Risk Management Program?

A CIRMP covers four hazard domains: cyber security, personnel, supply chain, and physical security. It must be approved by a board-level body, reviewed annually, and include specific processes for identifying and mitigating risks.

How is this different from a Big 4 engagement?

Three ways. First, I do the work myself. No juniors, no handoffs. Second, it costs $6-8K instead of $50K+. Third, it takes 1-2 weeks instead of 6-8. Same rigour, less overhead.

Do I need this if I'm a supplier to critical infrastructure?

The SOCI Act requires operators to manage supply chain risks. If you're a material supplier, your customer may require you to demonstrate security maturity as part of their risk management program.

Don't wait for an incident to find out you're non-compliant.

Start with the free scorecard. Or book a scoping call and I'll walk through what the SOCI Act means for your organisation.