--- title: "Australia Cyber Security Act recordkeeping FAQ" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/recordkeeping" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/recordkeeping" author: "Sorena AI" description: "What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Cyber Security Act 2024 recordkeeping" - "Australia ransomware payment report evidence" - "smart device statement of compliance retention" - "Cyber Security Act 2024" - "Recordkeeping" - "Australia" - "Ransomware reporting" - "Smart devices" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Australia Cyber Security Act recordkeeping FAQ What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. *FAQ* *Australia* *Recordkeeping* ## Cyber Security Act 2024 Recordkeeping Keep records that prove the specific Australian cyber duty: smart-device statements of compliance, ransomware payment report contents and timing, and any separate SOCI or APRA incident obligations. This FAQ separates what the Cyber Security Act and 2025 rules support from adjacent critical-infrastructure and prudential records. Recordkeeping under Australia's Cyber Security Act 2024 is not one generic file. The useful record depends on whether the matter is a consumer-grade smart device, a ransomware payment report, or an overlapping critical-infrastructure or APRA-regulated incident. ## What records should teams keep under the Australia Cyber Security Act 2024? For smart devices, keep the statement of compliance and the product evidence behind it for the rule-backed retention period. The Security Standards for Smart Devices Rules say the statement must identify the product type and batch, manufacturer and Australian authorised representatives, compliance declarations, defined support period, signatory details, and place and date of issue; the same rules set a five-year retention period for those statements. For ransomware payment reporting, keep a report file that can show whether the entity was a reporting business entity, when the payment was made or discovered, what information was known or findable by reasonable search within the 72-hour reporting period, and what was submitted to the designated Commonwealth body. The Act and ransomware reporting rules do not set a separate retention period for that report file, so retain it with the source evidence used to prepare the report for internal compliance and follow-up checks. - Smart-device evidence: product and batch identifier, manufacturer details, authorised representatives in Australia, compliance declaration, defined support period, signatory, place and date of issue, and the retained statement. - Ransomware report evidence: reporting-entity analysis, incident timing and awareness timing, infrastructure and customer impact, ransomware or malware variant, exploited vulnerabilities, demand amount or benefit, payment amount or benefit, method of provision, and communications with the extorting entity. - Overlap evidence: record SOCI status only where the entity is a responsible entity for a Part 2B critical infrastructure asset, and record APRA status only where the organization is APRA-regulated under CPS 234. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports the smart-device statement contents and the five-year retention period for statements of compliance. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/text?ref=sorena.io) - Supports the ransomware report content fields and the reasonable-search limit within the 72-hour reporting period. - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Supports the Cyber Security Act Part 3 duty to give a ransomware payment report within 72 hours. ## What ransomware payment evidence should the record contain? The ransomware record should be built around the report fields, not around a generic incident summary. The Act requires the report to cover contact and business details for the reporting entity or another payer, the cyber security incident and its impact, the extortion demand, the ransomware payment, and communications with the extorting entity. The 2025 ransomware reporting rules make those categories more concrete. They add ABN and address details where available, incident occurrence and awareness timing, impact on infrastructure and customers, ransomware or malware variant, exploited vulnerabilities, information useful to government response, payment quantum and method, and the nature, timing, and description of communications or negotiations. - Keep a dated trigger note showing when the payment was made or when the organization became aware another entity paid on its behalf. - Preserve the facts that were known or reasonably searchable inside the 72-hour window, plus a later correction trail if more facts were found after submission. - Keep evidence of any SOCI reporting-business-entity limb separately from ordinary turnover analysis, because the rules identify responsible entities for Part 2B critical infrastructure assets as a distinct path into the ransomware duty. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Supports the ransomware payment trigger, 72-hour timing, and statutory report categories. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/text?ref=sorena.io) - Supports the detailed report fields for incident, demand, payment, ABN/address, and communications evidence. - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Supports SOCI scoping where the ransomware reporting test depends on whether an entity is responsible for a critical infrastructure asset. ## How should teams handle SOCI and APRA overlap in recordkeeping? Do not merge every Australian cyber record into the Cyber Security Act file. SOCI overlap is supported where the ransomware rules refer to responsible entities for critical infrastructure assets to which Part 2B of the SOCI Act applies. APRA overlap is supported only for APRA-regulated entities, because CPS 234 separately requires notification to APRA for material information security incidents and material control weaknesses. A clean record separates the Cyber Security Act submission evidence from adjacent SOCI or APRA evidence: which entity was in scope, which asset or prudential entity was affected, which regulator or body was notified, what facts were reused, and which facts were held back because the regimes have different purposes. - Mark SOCI overlap only when the affected entity or asset analysis shows a responsible entity for a Part 2B critical infrastructure asset. - Mark APRA overlap only when the incident involves an APRA-regulated entity subject to CPS 234; keep APRA notification evidence separate from the Cyber Security Act ransomware payment report. - Do not use a smart-device statement file as evidence for ransomware reporting unless it actually proves a required ransomware report fact. Sources for this answer: - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/text?ref=sorena.io) - Supports the SOCI overlap boundary in the ransomware reporting-business-entity test. - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Supports the SOCI responsible-entity terminology used for critical-infrastructure overlap checks. - [APRA Prudential Standard CPS 234 Information Security](https://www.legislation.gov.au/Details/F2018L01745?ref=sorena.io) - Supports APRA overlap only for APRA-regulated entities with CPS 234 incident or control-weakness notification duties. ## Primary sources - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/2024-11-29/text?ref=sorena.io) - Primary Act source for ransomware payment report timing, report categories, and use/disclosure limits. - Quote: "within 72 hours of making the ransomware payment" - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Rules source for smart-device statement-of-compliance content and five-year retention. - Quote: "Retention period for statement of compliance" - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/asmade/text?ref=sorena.io) - Rules source for the ransomware reporting threshold, reporting-business-entity paths, and required report details. - Quote: "Requirements for information that ransomware payment report must contain" - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - SOCI source used only for responsible-entity and critical-infrastructure overlap records. - Quote: "Meaning of responsible entity" - [APRA Prudential Standard CPS 234 Information Security](https://www.legislation.gov.au/Details/F2018L01745?ref=sorena.io) - APRA source used only for APRA-regulated entity overlap involving CPS 234 incident or control-weakness notification records. - Quote: "notify APRA as soon as possible" ## Topic Guides - [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap. - [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records. - [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario. - [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks. - [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness. - [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review. - [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. - [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records. - [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records. - [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness. - [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records. - [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations. - [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain. - [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records. - [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules. - [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources. - [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules. - [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination. - [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence. - [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep. - [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks. - [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. *Recommended next step* *Placement: after the FAQ answer* ## Turn Australian cyber recordkeeping into evidence requests Use this FAQ to separate smart-device statement records, ransomware payment report evidence, and supported SOCI or APRA overlap checks before assigning work in Sorena. - [Open Assessment Autopilot for Australian cyber recordkeeping](/solutions/assessment.md): Turn the smart-device, ransomware, SOCI, and APRA evidence fields into assigned collection tasks. - [Review Cyber Security Act source evidence](/solutions/research-copilot.md): Use Research Copilot to check follow-up questions against the official Act and 2025 rules. - [Talk through recordkeeping implementation](/contact.md): Review which records belong in the Cyber Security Act file and which belong in adjacent SOCI or APRA files. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/faq/recordkeeping