FAQAustraliaRecordkeeping

Cyber Security Act 2024 Recordkeeping

Keep records that prove the specific Australian cyber duty: smart-device statements of compliance, ransomware payment report contents and timing, and any separate SOCI or APRA incident obligations.

This FAQ separates what the Cyber Security Act and 2025 rules support from adjacent critical-infrastructure and prudential records.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Questions

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

Recordkeeping under Australia's Cyber Security Act 2024 is not one generic file. The useful record depends on whether the matter is a consumer-grade smart device, a ransomware payment report, or an overlapping critical-infrastructure or APRA-regulated incident.

Search this module

Find a question or answer quickly

3 of 3 questions

Question 1

What records should teams keep under the Australia Cyber Security Act 2024?

For smart devices, keep the statement of compliance and the product evidence behind it for the rule-backed retention period. The Security Standards for Smart Devices Rules say the statement must identify the product type and batch, manufacturer and Australian authorised representatives, compliance declarations, defined support period, signatory details, and place and date of issue; the same rules set a five-year retention period for those statements.

For ransomware payment reporting, keep a report file that can show whether the entity was a reporting business entity, when the payment was made or discovered, what information was known or findable by reasonable search within the 72-hour reporting period, and what was submitted to the designated Commonwealth body. The Act and ransomware reporting rules do not set a separate retention period for that report file, so retain it with the source evidence used to prepare the report for internal compliance and follow-up checks.

Smart-device evidence: product and batch identifier, manufacturer details, authorised representatives in Australia, compliance declaration, defined support period, signatory, place and date of issue, and the retained statement.
Ransomware report evidence: reporting-entity analysis, incident timing and awareness timing, infrastructure and customer impact, ransomware or malware variant, exploited vulnerabilities, demand amount or benefit, payment amount or benefit, method of provision, and communications with the extorting entity.
Overlap evidence: record SOCI status only where the entity is a responsible entity for a Part 2B critical infrastructure asset, and record APRA status only where the organization is APRA-regulated under CPS 234.

Citations

Cyber Security (Security Standards for Smart Devices) Rules 2025

Supports the smart-device statement contents and the five-year retention period for statements of compliance.

Cyber Security (Ransomware Payment Reporting) Rules 2025

Supports the ransomware report content fields and the reasonable-search limit within the 72-hour reporting period.

Cyber Security Act 2024

Supports the Cyber Security Act Part 3 duty to give a ransomware payment report within 72 hours.

Recommended next step

Turn Australian cyber recordkeeping into evidence requests

Use this FAQ to separate smart-device statement records, ransomware payment report evidence, and supported SOCI or APRA overlap checks before assigning work in Sorena.

Assessment workflow

Open Assessment Autopilot for Australian cyber recordkeeping

Turn the smart-device, ransomware, SOCI, and APRA evidence fields into assigned collection tasks.

Explore next step

Research workflow

Review Cyber Security Act source evidence

Use Research Copilot to check follow-up questions against the official Act and 2025 rules.

Explore next step

Talk to Sorena

Talk through recordkeeping implementation

Review which records belong in the Cyber Security Act file and which belong in adjacent SOCI or APRA files.

Explore next step

Question 2

What ransomware payment evidence should the record contain?

The ransomware record should be built around the report fields, not around a generic incident summary. The Act requires the report to cover contact and business details for the reporting entity or another payer, the cyber security incident and its impact, the extortion demand, the ransomware payment, and communications with the extorting entity.

The 2025 ransomware reporting rules make those categories more concrete. They add ABN and address details where available, incident occurrence and awareness timing, impact on infrastructure and customers, ransomware or malware variant, exploited vulnerabilities, information useful to government response, payment quantum and method, and the nature, timing, and description of communications or negotiations.

Keep a dated trigger note showing when the payment was made or when the organization became aware another entity paid on its behalf.
Preserve the facts that were known or reasonably searchable inside the 72-hour window, plus a later correction trail if more facts were found after submission.
Keep evidence of any SOCI reporting-business-entity limb separately from ordinary turnover analysis, because the rules identify responsible entities for Part 2B critical infrastructure assets as a distinct path into the ransomware duty.

Citations

Cyber Security Act 2024

Supports the ransomware payment trigger, 72-hour timing, and statutory report categories.

Cyber Security (Ransomware Payment Reporting) Rules 2025

Supports the detailed report fields for incident, demand, payment, ABN/address, and communications evidence.

Security of Critical Infrastructure Act 2018

Supports SOCI scoping where the ransomware reporting test depends on whether an entity is responsible for a critical infrastructure asset.

Question 3

How should teams handle SOCI and APRA overlap in recordkeeping?

Do not merge every Australian cyber record into the Cyber Security Act file. SOCI overlap is supported where the ransomware rules refer to responsible entities for critical infrastructure assets to which Part 2B of the SOCI Act applies. APRA overlap is supported only for APRA-regulated entities, because CPS 234 separately requires notification to APRA for material information security incidents and material control weaknesses.

A clean record separates the Cyber Security Act submission evidence from adjacent SOCI or APRA evidence: which entity was in scope, which asset or prudential entity was affected, which regulator or body was notified, what facts were reused, and which facts were held back because the regimes have different purposes.

Mark SOCI overlap only when the affected entity or asset analysis shows a responsible entity for a Part 2B critical infrastructure asset.
Mark APRA overlap only when the incident involves an APRA-regulated entity subject to CPS 234; keep APRA notification evidence separate from the Cyber Security Act ransomware payment report.
Do not use a smart-device statement file as evidence for ransomware reporting unless it actually proves a required ransomware report fact.

Citations

Cyber Security (Ransomware Payment Reporting) Rules 2025

Supports the SOCI overlap boundary in the ransomware reporting-business-entity test.

Security of Critical Infrastructure Act 2018

Supports the SOCI responsible-entity terminology used for critical-infrastructure overlap checks.

APRA Prudential Standard CPS 234 Information Security

Supports APRA overlap only for APRA-regulated entities with CPS 234 incident or control-weakness notification duties.

Primary sources