Essential Eight SOCI & CIRMP

Essential Eight for Critical Infrastructure: How to Map E8 Controls to Your SOCI CIRMP Obligations

Tech Blaze Consulting | February 2026 | 15 min read

If your organisation is a responsible entity under the Security of Critical Infrastructure Act 2018 (SOCI Act), you have almost certainly been through the exercise of selecting a cyber security framework for your Critical Infrastructure Risk Management Program (CIRMP). Many Australian operators — particularly those already aligned with Australian Government cybersecurity guidance — have chosen the Essential Eight Maturity Model as their framework of record.

It is a logical choice. The Essential Eight is Australian-born, well-understood by government, and maps directly to ISM controls that many entities already implement. But here is the problem we see repeatedly when working with critical infrastructure clients across energy, health, transport, and defence industry: choosing the Essential Eight is the easy part. Mapping it meaningfully to your CIRMP obligations — and knowing where it falls short — is where most organisations struggle.

There is no published guide that bridges the gap between the E8 maturity model and the specific hazard vectors and obligations in the CIRMP Rules. This article fills that gap with the practical, control-level mapping you need to demonstrate compliance, report to your board, and satisfy your annual reporting obligations.

The Regulatory Landscape: SOCI, CIRMP, and the Essential Eight

The SOCI Act and CIRMP Obligations

The Security of Critical Infrastructure Act 2018, as significantly amended in 2021 and 2022, imposes risk management obligations on responsible entities across 11 critical infrastructure sectors. Responsible entities must maintain a written CIRMP that identifies and manages material risks from defined hazard vectors.

The CIRMP Rules prescribe four hazard vectors that CIRMPs must address:

  1. Cyber and information security
  2. Personnel
  3. Supply chain
  4. Physical security and natural hazards

For the cyber and information security hazard vector, the Rules require responsible entities to adopt at least one recognised framework, including the Essential Eight Maturity Model, NIST Cybersecurity Framework, ISO/IEC 27001, or sector-specific alternatives.

Why the Essential Eight?

For many Australian entities — particularly those in or adjacent to government — the Essential Eight is the natural choice. It aligns with ISM controls, and the framework provides clear maturity level definitions. If you are a defence industry participant, or a data centre operator hosting government workloads, you may already be assessed against the E8.

Critical nuance: The CIRMP Rules do not require you to achieve a specific maturity level. They require you to adopt the framework and use it to manage material risks. The obligation is risk-based, not prescriptive. This distinction matters for board reporting, audit, and your annual CIRMP report.

The E8-to-CIRMP Mapping

The following table maps each Essential Eight mitigation strategy to the relevant CIRMP obligation areas within the cyber and information security hazard vector.

# E8 Mitigation Strategy CIRMP Cyber Hazard Coverage Key ISM Controls CIRMP Contribution Gaps / Limitations
1 Application Control Prevents execution of unapproved programs on workstations and servers, reducing malware and unauthorised software risk ISM-0843, ISM-1490, ISM-1656, ISM-1657 Directly addresses malware and unauthorised access risks to CI assets. Supports integrity of systems processing critical data. Limited to endpoints in scope. Does not cover OT/ICS environments natively. No coverage of network-level threats.
2 Patch Applications Reduces exploitation risk from known vulnerabilities in applications ISM-1690, ISM-1691, ISM-1692, ISM-1693 Addresses vulnerability management — a core expectation for managing cyber risks to CI assets. Supports timely remediation of known threats. Patching cycles may conflict with OT availability requirements. Does not address zero-day or unknown vulnerabilities.
3 Configure Microsoft Office Macro Settings Prevents malicious macro execution — a primary initial access vector ISM-1671, ISM-1672, ISM-1673, ISM-1674 Reduces likelihood of initial compromise via phishing/social engineering targeting CI personnel. Microsoft-specific. Does not address other document formats or application scripting. Limited relevance to non-Microsoft environments.
4 User Application Hardening Blocks web-based content that delivers exploits (Flash, ads, Java) ISM-1486, ISM-1485, ISM-1660, ISM-1661 Reduces attack surface of user-facing applications. Limits web-based threat vectors targeting CI operator workstations. Endpoint-focused. Does not address server-side or OT-facing application risks.
5 Restrict Administrative Privileges Limits who can make significant changes to systems, reducing insider threat and lateral movement ISM-1507, ISM-1508, ISM-1175, ISM-1653 Directly supports CIRMP’s requirement to manage risks from privileged access to CI assets. Critical for preventing escalation after initial compromise. Does not address non-privileged user risks. Requires complementary identity governance (not in E8 scope).
6 Patch Operating Systems Reduces exploitation risk from known OS-level vulnerabilities ISM-1694, ISM-1695, ISM-1696, ISM-1697 Core vulnerability management control. Directly relevant to maintaining the security posture of systems supporting CI assets. Same OT patching challenges as Strategy 2. Legacy OS in CI environments may not be patchable.
7 Multi-Factor Authentication Prevents unauthorised access even when credentials are compromised ISM-1559, ISM-1560, ISM-1561, ISM-1679 Addresses authentication risks to CI systems. Critical for remote access, cloud services, and privileged access to CI assets. MFA may not be feasible for all OT/ICS interfaces. Does not address physical access or non-digital authentication scenarios.
8 Regular Backups Enables recovery from ransomware, data destruction, or system failure ISM-1511, ISM-1515, ISM-1705, ISM-1707 Directly supports resilience and recovery — a core CIRMP objective. Addresses data availability for CI assets. Backup alone does not ensure business continuity. Does not address recovery time objectives, failover, or disaster recovery planning.

Reading the table: The CIRMP Contribution column identifies how each E8 strategy supports your obligation to manage material risks under the cyber and information security hazard vector. The Gaps / Limitations column flags where the E8, even at Maturity Level Three, does not fully satisfy the breadth of what a robust CIRMP requires.

Where the Essential Eight Falls Short: The CIRMP Gap Analysis

Choosing the Essential Eight satisfies the requirement to adopt a recognised framework. However, adopting a framework is not the same as comprehensively managing all material cyber risks. Several critical risk domains sit outside the E8's scope entirely.

1

Incident Detection and Response

The Essential Eight is a preventative framework. It focuses on reducing the likelihood of compromise. It does not address security monitoring and event detection, incident response planning and execution, or cyber security incident reporting obligations under the Cyber Security Act 2024.

Your CIRMP must address incident response. The E8 does not. You will need supplementary controls — ideally drawn from the ISM’s incident management chapter or the NIST CSF Respond and Recover functions.

2

Network Security and Segmentation

The Essential Eight does not include network-level controls such as network segmentation between corporate IT and OT/ICS environments, intrusion detection and prevention systems, secure architecture design, or gateway and boundary protection.

For critical infrastructure entities, network segmentation between IT and OT is not optional — it is fundamental. Your CIRMP should address this regardless of your chosen framework.

3

Security Governance, Risk Assessment, and Assurance

The CIRMP Rules require a risk management program, not just technical controls. The E8 does not cover cyber security risk assessments, security governance frameworks, third-party risk assessments (which overlap with the supply chain hazard vector), or regular independent assurance.

4

Data Protection and Privacy

The E8 does not address data classification, data loss prevention, encryption at rest or in transit, or privacy obligations under the Privacy Act 1988. For CI entities handling sensitive operational data or personal information, these are material risks that your CIRMP must address.

5

The Other Three Hazard Vectors

The Essential Eight only addresses one of four CIRMP hazard vectors. Your CIRMP must also manage material risks from personnel hazards, supply chain hazards, and physical security and natural hazards. The E8 contributes nothing to these three vectors.

The OT/ICS Challenge: Applying IT Controls in Operational Technology Environments

The Essential Eight was designed for corporate IT environments — Windows-based endpoints, Microsoft Office, web browsers, Active Directory. Many critical infrastructure entities operate Operational Technology (OT) and Industrial Control Systems (ICS) that present fundamentally different constraints:

  • Patching — OT systems often cannot be patched without vendor approval, extensive testing, and planned outages. Real-time control systems may run on legacy operating systems that no longer receive patches.
  • Application control — Implementing application whitelisting on PLCs, RTUs, SCADA servers, and HMIs is technically different from deploying it on Windows workstations. The risk of operational disruption is significantly higher.
  • MFA — Multi-factor authentication on operator consoles or field devices accessed via serial connections may not be feasible. The E8's MFA requirements assume modern authentication protocols that OT environments may not support.
  • Macro settings and user application hardening — Often irrelevant in OT environments that do not use Microsoft Office or standard web browsers.

Practical guidance: When scoping your E8 maturity assessment for CIRMP purposes, clearly define the boundary between IT and OT environments. Apply the E8 fully to corporate IT. For OT environments, document compensating controls and reference a complementary framework such as IEC 62443 or the AESCSF for energy sector entities. Your CIRMP should explicitly acknowledge this scoping decision and the rationale behind it.

Board Reporting: Presenting E8 Maturity for CIRMP Annual Reports

Under the SOCI Act, responsible entities must provide an annual CIRMP report to their sector regulator. This report must be approved by the board (or equivalent governing body). Boards need clear, concise, and meaningful reporting on cyber security posture.

Recommended Board Reporting Structure

1. Framework Adoption Statement

State that the entity has adopted the Essential Eight Maturity Model as the cyber security framework for the cyber and information security hazard vector, as permitted under Schedule 1 of the CIRMP Rules.

2. Current Maturity Summary

Present a table showing the current assessed maturity level for each strategy alongside the target maturity level and status.

3. Scope and Limitations

Explicitly state what is in scope (corporate IT supporting the CI asset) and what is not (OT/ICS, if applicable). Identify supplementary frameworks for out-of-scope environments.

4. Gap Analysis and Remediation Roadmap

Summarise material gaps between current and target maturity, the remediation actions underway, and expected timelines.

5. Supplementary Controls

Report on controls that sit outside the E8 but are required by the CIRMP — incident response, network security, governance, and the non-cyber hazard vectors.

6. Assurance and Independent Assessment

Note whether the E8 maturity assessment was conducted internally or by an independent assessor. An IRAP assessment provides the highest level of independent validation.

What Boards Need to Understand

E8 is your cyber hygiene baseline Not your entire security program.

Maturity levels are not compliance levels CIRMP does not mandate a specific level, but your risk assessment should justify your target.

Annual improvement is expected Regulators will look for year-on-year progress.

Board approval is a governance obligation Directors should be satisfied the CIRMP annual report is accurate and complete.

The Cyber Security Act 2024: New Obligations to Factor In

The Cyber Security Act 2024 introduces additional obligations relevant to critical infrastructure entities relying on the Essential Eight:

Mandatory incident reporting — significant cyber security incidents affecting CI assets must be reported to the relevant Australian Government cybersecurity authority. This reinforces the gap in the E8 (which has no incident reporting component).

Ransomware payment reporting — entities that make ransomware payments must report them. Your CIRMP and incident response plan should address the decision-making framework for ransomware events.

Security standards for smart devices — signals the government's increasing focus on supply chain and product security.

Ensure your CIRMP reflects these new obligations. The E8 alone does not address them.

E8 + CIRMP Compliance Checklist

Use this checklist to assess your organisation's readiness against both Essential Eight and CIRMP obligations.

Contact us for a full downloadable version of this checklist, tailored to your sector.

How Tech Blaze Can Help

As an endorsed IRAP assessor practice, we work with critical infrastructure entities across Australia to:

Conduct independent Essential Eight maturity assessments scoped to your critical infrastructure assets
Perform CIRMP gap analyses that go beyond the E8 to cover all four hazard vectors
Prepare board-ready CIRMP annual reports with clear, defensible maturity reporting
Advise on OT/ICS security strategy and compensating controls where the E8 does not apply
Deliver IRAP assessments for entities hosting government data or participating in the DISP
Discuss Your CIRMP Compliance

Related Reading

This article is general guidance only and does not constitute legal advice. Entities should seek specific advice on their CIRMP obligations from qualified legal and security professionals.

Tech Blaze Consulting

Canberra, ACT

About the Author

Tech Blaze Consulting is a Canberra-based cybersecurity consultancy specialising in IRAP assessments, Essential Eight maturity assessments, and security advisory for critical infrastructure entities. Founded by an endorsed IRAP assessor with extensive IT and cybersecurity experience.

When you engage Tech Blaze, you work directly with the assessor — no account managers, no junior analysts, no handoffs.

Learn More About Us Back to All Articles

Need Help with Your CIRMP Compliance?

If you are a critical infrastructure entity that has adopted the Essential Eight for your CIRMP and want confidence that your mapping, assessment, and reporting are robust, we would welcome a conversation.

Get in Touch