Artifact GuideAustraliaChecklist

Australia Cyber Security Act Checklist

Use this checklist to verify concrete Australian cyber-security obligations: smart-device security standards and statements, ransomware payment reporting, SOCI critical-infrastructure risk management, and APRA CPS 234 controls.

Each item names the condition to check, the evidence to keep, and the official source that supports the obligation. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

This checklist is for teams that need an evidence-backed first pass across Australian cyber-security obligations before shipping a consumer smart device, responding to a ransomware payment, operating a SOCI critical-infrastructure asset, or maintaining APRA CPS 234 information-security assurance.

Section 1

Smart-device security standards and statements

Use these checks when the product is a consumer-grade relevant connectable product that will be acquired in Australia by a consumer. The Rules exclude specified product classes such as desktop or laptop computers, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components.

Confirm the product is intended, or is of a kind likely, to be used for personal, domestic, or household use or consumption, and record any exclusion relied on.
Verify product passwords are either unique per product or user-defined; if unique per product, keep evidence that they are not based on incremental counters, public information, or serial numbers unless protected by accepted encryption or keyed hashing.
Publish a clear security-issue reporting point of contact and state when reporters receive an acknowledgement and status updates until resolution.
Prepare the statement of compliance by or on behalf of the manufacturer, including product type and batch identifier, manufacturer and authorised-representative details, compliance declarations, defined support period, signatory details, place, and date of issue.
Retain statements of compliance for the five-year period required by the Rules, and make the supplier check that products supplied in Australia are accompanied by the required statement.

Sources for this answer

Cyber Security (Security Standards for Smart Devices) Rules 2025

Supports the smart-device checklist items for covered consumer-grade relevant connectable products, password requirements, security-issue reporting, statements of compliance, and five-year statement retention.

Section 2

Ransomware payment reporting evidence

Use these checks when an entity is impacted by a cyber security incident and has made, or becomes aware that another entity made on its behalf, a ransomware payment to an entity seeking to benefit from the incident.

Confirm reporting-business-entity scope: either a responsible entity for a Part 2B SOCI critical-infrastructure asset, or a business carrying on in Australia whose previous-financial-year annual turnover exceeds the $3 million threshold.
Start the 72-hour reporting evidence pack as soon as the payment is made or the entity becomes aware it was made, and limit mandatory content to information known or findable by reasonable search or enquiry within that period.
Capture the reporting entity ABN, if any, and address; if another entity made the payment, capture that entity ABN, if any, and address as well.
Record when the incident occurred or is estimated to have occurred, when the entity became aware, impacts on infrastructure and customers, ransomware or malware variants, exploited vulnerabilities, and information that could assist Commonwealth or State response.
Record the amount or quantum and method demanded, the amount or quantum and method actually provided, and the nature, timing, description, and any pre-payment negotiations in communications with the extorting entity.

Sources for this answer

Cyber Security (Ransomware Payment Reporting) Rules 2025

Supports ransomware-payment checklist items for reporting business entity scope, the $3 million turnover threshold, the 72-hour reporting period, and report content.

Section 3

SOCI critical-infrastructure risk program checks

Use these checks when the organisation is a responsible entity for a captured critical-infrastructure asset. Keep this stream separate from Cyber Security Act ransomware reporting: SOCI is about the asset risk program and critical-infrastructure obligations, not only a payment event.

Confirm the asset, responsible entity, and SOCI Part 2A or Part 2B obligation being assessed before assigning any control or report owner.
Keep the critical infrastructure risk management program evidence that shows the entity has and follows a program for the asset.
Include cyber and information-security hazards in the material-risk register, alongside other hazard categories where they are relevant to the asset.
For each cyber or information-security hazard, record the asset function affected, plausible impact on essential goods or services, selected mitigations, residual risk, and governing-body approval or review evidence.
If the same incident also triggers ransomware payment reporting or another regulator notification, keep separate evidence packs so SOCI risk-program evidence is not confused with the Cyber Security Act payment report.

Sources for this answer

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 materials

Supports the SOCI checklist items for responsible entities, critical infrastructure risk management programs, and cyber and information-security hazards.

Cyber Security (Ransomware Payment Reporting) Rules 2025

Supports ransomware-payment checklist items for reporting business entity scope, the $3 million turnover threshold, the 72-hour reporting period, and report content.

Section 4

APRA CPS 234 controls and notification checks

Use these checks for APRA-regulated entities and groups applying Prudential Standard CPS 234. The checklist should produce evidence that Board oversight, controls, incident response, testing, and assurance match the criticality and sensitivity of information assets.

Document Board, senior management, governing-body, and individual information-security roles and responsibilities.
Classify information assets, including assets managed by related parties and third parties, by criticality and sensitivity.
Map controls to vulnerabilities and threats, asset criticality and sensitivity, lifecycle stage, and potential incident consequences; include third-party control-design evaluations where relevant.
Maintain incident response plans covering detection through post-incident review, escalation, and reporting to the Board or other responsible bodies, and review and test those plans annually.
Run a systematic control-testing program using appropriately skilled and functionally independent specialists; escalate testing deficiencies that cannot be remediated in a timely manner.
Notify APRA no later than 72 hours after becoming aware of a qualifying material information-security incident, and no later than 10 business days after becoming aware of a material control weakness that will not be remediated in a timely manner.

Sources for this answer

APRA Prudential Standard CPS 234 information security

Supports APRA-regulated entity checklist items for Board responsibility, asset classification, controls, incident response, testing, audit, and APRA notifications.

Recommended next step

Turn the Australia cyber-security checklist into assigned evidence

Use this checklist to create scoped smart-device, ransomware-reporting, SOCI, and APRA CPS 234 evidence tasks inside Sorena.

Assessment workflow

Open Assessment Autopilot for Australia cyber-security checks

Turn the checklist into scoped questions for smart devices, ransomware reports, SOCI assets, and CPS 234 controls.

Explore next step

Research workflow

Review Australian cyber-security source evidence

Use Research Copilot to inspect the official sources behind each checklist item.

Explore next step

Talk to Sorena

Talk through implementation

Review scope, evidence gaps, owners, and next implementation actions with Sorena.

Explore next step

Primary sources

References and citations

APRA Prudential Standard CPS 234 information security

apra.gov.au

Referenced sections

Supports APRA-regulated entity checklist items for Board responsibility, asset classification, controls, incident response, testing, audit, and APRA notifications.

"The Board of an APRA-regulated entity is ultimately responsible"

Cyber Security (Ransomware Payment Reporting) Rules 2025

legislation.gov.au

Referenced sections

Supports ransomware-payment checklist items for reporting business entity scope, the $3 million turnover threshold, the 72-hour reporting period, and report content.

"within the 72 hour time period for giving the report"

Cyber Security (Security Standards for Smart Devices) Rules 2025

legislation.gov.au

Referenced sections

Supports the smart-device checklist items for covered consumer-grade relevant connectable products, password requirements, security-issue reporting, statements of compliance, and five-year statement retention.

"The statement must include the following information"

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 materials

homeaffairs.gov.au

Referenced sections

Supports the SOCI checklist items for responsible entities, critical infrastructure risk management programs, and cyber and information-security hazards.