Navigating Australia's Cybersecurity Obligations: SOCI, PSPF and the Essential Eight – A Strategic Guide for Government and Critical Infrastructure Organisations

1. Understanding the Frameworks: SOCI, PSPF and the Essential Eight

The increasing digitalisation of Australia’s critical sectors continues to expose them to heightened cyber risk. While the Optus (2022) and Latitude Financial (2023) breaches brought national attention to the fragility of customer data protection, their impact remains active and highly relevant due to ongoing regulatory reviews and public scrutiny. In 2024, both incidents were examined in Senate committee hearings (Parliament of Australia, 2024), leading to policy discussions on mandatory breach disclosure, third-party accountability and reforms to the Privacy Act 1988. Additionally, the Office of the Australian Information Commissioner (OAIC) issued enforcement outcomes and undertakings in response to these breaches, reinforcing expectations for baseline cyber hygiene and regulatory compliance (OAIC, 2024).

The Australian Cyber Security Strategy 2023–2030, released in late 2023, entered its implementation phase in 2024. This included the launch of sovereign cyber hubs, new sector-specific risk management obligations and increased resourcing for the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC). In February 2025, the ACSC released updated guidance on ransomware readiness and Essential Eight maturity self-assessments, providing clearer expectations and benchmarking tools for organisations across sectors (ACSC, 2025).

In this context, the three serve complementary and ongoing strategic roles:

• SOCI provides national-level oversight and mandates proactive security measures for critical infrastructure entities.
• PSPF ensures a coordinated and holistic approach to protective security across Commonwealth agencies and entities.
• The Essential Eight, updated in November 2023, continues to serve as a scalable technical control baseline still undergoing widespread implementation and uplift throughout 2024–2025.

For government agencies, regulated infrastructure providers and private entities engaged with government, these frameworks are critical for:

• Upholding public trust in digital services and systems
• Meeting ongoing regulatory compliance expectations under SOCI and Privacy Act reforms
• Resisting evolving threats from ransomware actors, insider threats, and nation-state APTs

As the 2025 threat environment grows more complex and regulated, these frameworks remain essential for operationalising national cyber priorities, achieving uplift targets, and building systemic resilience across Australia’s digital economy.

1.1 The Security of Critical Infrastructure (SOCI) Act

Originally enacted in 2018 and significantly amended in 2021, the SOCI Act aims to protect Australia’s critical infrastructure from both physical and cyber threats. The act applies to sectors deemed vital to the country's economy and safety, including energy, water, health, communications, and ports. The amendments introduced obligations such as:

• Mandatory cyber incident reporting within 12 or 72 hours depending on impact.
• Risk Management Program (RMP) requirements for regulated entities.
• Government assistance provisions in the event of a nationally significant cyber threat.

The SOCI Act introduces a tiered approach to regulatory oversight, with specific entities designated as Systems of National Significance (SoNS), requiring enhanced obligations such as vulnerability assessments and annual reporting.

1.2 Protective Security Policy Framework (PSPF)

The PSPF is the primary security compliance framework for Australian Government entities, having been developed by the Attorney-General's Department. The Protective Security Policy Framework (PSPF), first established in 2010 by the Directive on the Security of Government Business  and most recently updated in October 2024, outlines minimum security requirements for government agencies and forms a core pillar of Australia's cyber resilience approach (Attorney-General's Department, 2024). Aligned with the Australian Cyber Security Strategy 2023–2030, the October 2024 update to the PSPF reinforces expectations around supply chain assurance, personnel vetting and protective information security (Attorney-General's Department, 2024).

It is mandatory for non-corporate Commonwealth entities that are subject to the Public Governance, Performance and Accountability Act 2013 to implement the PSPF in compliance with the law. In accordance with the PGPA Act, the PSPF is a more suitable practice for corporate Commonwealth entities and wholly-owned Commonwealth corporations. Non-governmental organisations that are granted access to security classified information may be required to execute a deed or agreement in order to enforce the relevant provisions of the PSPF (Applying the Protective Security Policy Framework, n.d.).  

It comprises 16 core requirements grouped into four security domains:

• Governance
• Information security
• Personnel security
• Physical security

Entities must attest to their PSPF compliance annually and demonstrate continuous improvement. The framework is risk-based and requires alignment of security controls with business functions and threat environments.

1.3 The Essential Eight

The Essential Eight is a prioritised set of mitigation strategies developed by the ACSC to help organisations defend against cyber threats. These include:

1. Application control
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication
8. Regular backups

Although the Essential Eight Maturity Model was first introduced by the Australian Cyber Security Centre (ACSC) in 2017, it remains highly relevant and timely in today’s cybersecurity landscape. This is due to its continuous evolution—most recently updated in November 2023—and its explicit endorsement in the Australian Cyber Security Strategy 2023–2030 as the foundational baseline for improving national cyber resilience (ACSC, 2023; Department of Home Affairs, 2023).  

The Essential Eight provides a practical, implementation-focused framework that is scalable to organisations of varying size and complexity. It also serves as the benchmark for compliance with numerous regulatory requirements, including the SOCI Act’s risk management obligations and security uplift expectations under the Protective Security Policy Framework (PSPF). As threat actors increasingly exploit known but unpatched vulnerabilities, the Essential Eight’s emphasis on proactive control maturity and measurable uplift makes it an indispensable guide for both public and private sector organisations navigating complex cybersecurity obligations.

These controls are measured using the Essential Eight Maturity Model (E8MM), which ranges from Maturity Level 0 (unmitigated risk) to Level 3 (fully aligned with recommended practices). While the Australian Cyber Security Centre’s (ACSC) Essential Eight provides a highly effective baseline for mitigating cyber threats, non-government entities particularly small to medium enterprises (SMEs) and organisations outside the public sector often face significant barriers to full compliance.

Unlike federal government agencies that are mandated to adopt these controls under frameworks like the Protective Security Policy Framework (PSPF), many private and not-for-profit organisations operate with limited resources, legacy systems or competing operational priorities. Full maturity across all eight strategies, especially those requiring application control, patch automation or centralised administrative privilege management, can involve substantial investment in technology, skilled personnel and governance processes.

However, this does not diminish the importance or relevance of the Essential Eight. In fact, several of these controls should be considered foundational cybersecurity hygiene for all sectors, regardless of size or regulation.

1.4 Priority Controls Every Organisation Should Implement

While many organisations are aware of baseline security controls, inconsistent implementation and limited resourcing often leave critical gaps. The following control domains remain the most frequently exploited by adversaries and offer high return on investment when effectively applied. Their prioritisation is endorsed by both the Essential Eight and international threat intelligence bodies (e.g., MITRE, ENISA):

• Multi-Factor Authentication (MFA): Despite its broad availability, MFA is still inconsistently applied—particularly for third-party access, cloud admin portals and legacy applications. Mandating MFA for privileged and remote accounts significantly reduces credential-based compromise, which remains one of the most common initial access vectors.
• Regular Patching (Operating Systems and Applications): Many ransomware incidents and APT campaigns still rely on exploiting known but unpatched vulnerabilities (e.g., Citrix Bleed, Log4Shell). Implementing automated patch deployment with risk-based prioritisation (e.g., critical CVEs within 14–30 days) mitigates common attack paths.
• Restricting Administrative Privileges: Default administrator access is often over-provisioned across workstations, servers and cloud resources. Implementing role-based access controls, just-in-time privilege elevation and audit logging reduces the likelihood of privilege escalation and limits lateral movement.
• Daily Backups: Backups remain one of the most effective ransomware mitigations—but only if they are tested, immutable and isolated. Organisations should prioritise automated backup integrity checks and ensure recovery procedures are regularly exercised under pressure.

These controls are not just foundational—they continue to represent break points in real-world intrusions when neglected. They are also scalable and defensible in board-level discussions, making them an ideal starting point for organisations aiming to uplift cyber resilience in a phased or risk-informed manner.

It is important to view the Essential Eight not as a rigid compliance checklist, but as a dynamic maturity journey. By starting with the controls that address the most probable attack vectors and are operationally achievable, even small or non-government organisations can realise meaningful security improvements while building toward long-term maturity.

2. Common Challenges in Achieving Compliance

While Australia’s cybersecurity frameworks—SOCI, PSPF, and the Essential Eight—set clear expectations, organisations continue to face persistent barriers in achieving meaningful and sustainable compliance. These challenges are not just technical—they are governance, cultural, and systemic in nature. Lessons from the Optus and Latitude Financial data breaches, as well as ACSC’s own audit findings, underscore how even well-resourced entities may falter in translating compliance intent into operational execution (ACSC, 2023; Parliament of Australia, 2024; OAIC, 2024).

2.1 Framework Overlap and Interpretation

The coexistence of multiple frameworks leads to duplication and misalignment without clear mapping or regulatory consolidation. For example, the SOCI Act’s Risk Management Program Rules require entities to implement appropriate security measures but do not define “appropriate” in maturity terms—leaving it to interpretation. Meanwhile, the PSPF’s 16 core policies and the Essential Eight’s maturity model overlap in intent but diverge in format and audit readiness. In the absence of unified guidance, many organisations struggle to establish a single defensible compliance narrative.

2.2 Resource and Capability Gaps

According to the Australian Cyber Security Strategy 2023–2030, workforce shortages are one of the biggest national risks to cyber resilience. Many regional agencies and smaller critical infrastructure providers lack internal cyber expertise to keep pace with evolving SOCI obligations or implement technical controls such as application control or privilege restriction at scale. Without a dedicated governance lead or GRC tooling, compliance becomes reactive and fragmented—posing audit and regulatory risks.

2.3 Legacy and Complex Environments

Legacy and hybrid environments often fall short of Essential Eight technical prerequisites—e.g., unsupported operating systems or embedded devices that cannot be patched regularly. During post-breach investigations (such as Latitude Financial’s), regulators highlighted control breakdowns tied to legacy complexity and insufficient network segmentation. These same constraints limit compliance with PSPF's policies, which require secure configuration and monitoring of ICT systems.

2.4 Unclear Third-Party Accountability

Both SOCI and PSPF (through supply chain risk management) expect regulated entities to manage third-party cyber risk. However, due to complex outsourcing arrangements, control performance (e.g., MFA enforcement, daily backups, patch SLAs) is often assumed rather than assured. Contracts may lack measurable security clauses, and few entities perform end-to-end due diligence. As a result, organisations face residual exposure that may not be defensible in audits or breach response scenarios.

2.5 Reporting and Governance Burden

Regulatory obligations such as SOCI’s annual compliance report to the Cyber and Infrastructure Security Centre (CISC), PSPF’s self-assessment to portfolio agencies, and internal Essential Eight maturity reporting are often conducted manually. Without automation or centralised mapping, teams duplicate effort and introduce inconsistencies. This increases operational burden and reduces accuracy—especially for federated agencies operating across jurisdictions or subsidiaries.  

These challenges highlight the importance of adopting a risk-based compliance strategy. As emphasised by the ACSC (2025), organisations should focus on the controls most likely to reduce risk exposure—prioritising implementation of the Essential Eight controls based on threat likelihood, business criticality, and resource availability. Moreover, agencies should integrate compliance workflows into governance, risk, and compliance (GRC) platforms and continuously align to updated guidance from ACSC, OAIC, and CISC.

3. How to meet compliance in a pragmatic way

Compliance with cybersecurity frameworks such as SOCI, PSPF, and the Essential Eight should not be viewed as a tick-box task but as a structured opportunity to embed security into operational resilience. The following recommendations offer a phased, regulation-aware roadmap to uplift compliance maturity in line with government expectations:

3.1 Harmonise cybersecurity control frameworks

Develop a unified cybersecurity control framework that consolidates PSPF mandatory controls (e.g., INFOSEC, GOV), Essential Eight maturity requirements, and SOCI Act obligations—including those related to the Risk Management Program (RMP) and incident reporting. Leverage crosswalks and control libraries to reduce duplication across self-assessments, audits, and third-party assurance.

3.2 Prioritise crown jewels and Systems of National Significance (SoNS)

Use a risk-based asset classification to prioritise Essential Eight implementation starting with Crown Jewels and SoNS designated under SOCI. This aligns with PSPF's TECH and INFOSEC policies and ensures that high-impact systems meet baseline maturity (e.g., Maturity Level Two or higher).

3.3 Establish Cybersecurity Governance for Regulatory Alignment

Form a multi-disciplinary Cyber Risk and Compliance Committee accountable for tracking alignment with SOCI reporting requirements, PSPF attestations, and Essential Eight maturity progression. Governance bodies should be empowered to approve funding, prioritise control remediation, and oversee third-party security obligations.

3.4 Automate Control Monitoring and Assurance Reporting

Deploy technical tools that generate evidence for compliance with specific regulatory requirements—e.g., vulnerability scanning for PSPF, MFA logs for Essential Eight Maturity Level One, and incident detection aligned with SOCI's 12-hour reporting requirement. Integrate this into a GRC platform with dashboard views mapped to each framework.

3.5 Targeted Training and Operational Readiness

Move beyond generic awareness campaigns by delivering role-specific training aligned to regulatory duties. For example, provide incident reporting workflows to operations teams (per SOCI), policy mapping exercises for auditors (per PSPF), and Essential Eight implementation sessions for IT administrators.

3.6 Conduct Cyber Resilience Drills with Regulatory Scenarios  

Run tabletop exercises that simulate ransomware, insider threats, or third-party breaches, explicitly incorporating compliance decision points—e.g., whether an event meets SOCI’s “material cyber incident” criteria, or how recovery aligns to Essential Eight backup integrity requirements. Use outcomes to refine response plans and regulatory reporting processes.