--- title: "SOCI overlap triage workflow for Australia Cyber Security Act" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow" author: "Sorena AI" description: "Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "SOCI overlap triage" - "Security of Critical Infrastructure Act 2018" - "Cyber Security Act 2024" - "Part 2B mandatory cyber incident reporting" - "ransomware payment reporting" - "smart device security standards Australia" - "SOCI Act" - "Australia cyber security compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # SOCI overlap triage workflow for Australia Cyber Security Act Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks. *Artifact Guide* *Australia* *SOCI Overlap Triage Workflow* ## SOCI overlap triage for the Cyber Security Act Use this workflow when one Australian cyber issue may touch the Security of Critical Infrastructure Act 2018, the Cyber Security Act 2024 ransomware-payment rules, or the smart-device security standards. The point is separation: identify the responsible entity and critical-infrastructure asset first, then decide whether Part 2B incident reporting, Part 2A risk-management evidence, Part 3 ransomware reporting, or smart-device compliance needs its own owner and record. SOCI overlap triage starts by asking which legal stream the fact pattern actually belongs to. A responsible entity for a critical infrastructure asset may have SOCI register, risk-management-program, and Part 2B cyber incident work. The same incident can also trigger Cyber Security Act ransomware payment reporting if a reporting business entity makes, or becomes aware of, a ransomware payment. A consumer smart device raises a separate product-security question unless the device or service is also part of a critical-infrastructure asset. ## Separate SOCI, ransomware, and smart-device streams Open the triage record with three yes-or-no lanes instead of one generic cyber checklist. Lane one is SOCI: is there a critical infrastructure asset, a responsible entity, and a Part 2, Part 2A, or Part 2B obligation? Lane two is Cyber Security Act Part 3: did a reporting business entity make, or become aware that another entity made on its behalf, a ransomware payment after a cyber security incident? Lane three is smart-device compliance: is the product a consumer grade relevant connectable product acquired in Australia by a consumer? Do not merge the evidence packs. SOCI incident reporting, ransomware payment reporting, and smart-device statements of compliance answer different questions and may be handled by different owners even when the same event or product family triggered the review. - SOCI lane: record the asset name, asset class, responsible entity, operational owner, and whether the question concerns the Register of Critical Infrastructure Assets, the critical infrastructure risk management program, or Part 2B mandatory cyber incident reporting. - Ransomware lane: record the cyber security incident, impacted reporting business entity, demand, payment or benefit, payment maker, awareness time, and whether the $3 million turnover threshold or responsible-entity limb is the basis for scope. - Smart-device lane: record the product type, manufacturer, supplier, consumer-acquisition basis, exemption check, statement of compliance, password design evidence, vulnerability-reporting contact, and defined support period. - Overlap result: assign each lane a separate owner, source citation, evidence location, reviewer, and status so a product-security record is not mistaken for a SOCI asset record or ransomware payment report. Sources for this answer: - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Supports the SOCI triage lanes for critical infrastructure asset, responsible entity, Part 2 register, Part 2A risk-management-program, and Part 2B incident-reporting questions. - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports keeping Cyber Security Act ransomware payment reports separate from SOCI Part 2B and other incident information requirements. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports the separate smart-device lane for consumer grade relevant connectable products and statements of compliance. *Recommended next step* *Placement: after the triage workflow* ## Turn SOCI overlap triage into assigned evidence work Use this workflow to separate SOCI responsible-entity records, ransomware payment reports, smart-device statements of compliance, and review tasks inside Sorena. - [Open Assessment Autopilot for SOCI overlap triage](/solutions/assessment.md): Turn the SOCI, ransomware, and smart-device lanes into scoped questions, owners, and evidence requests. - [Review Australia cyber source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited SOCI and Cyber Security Act source material. - [Talk through SOCI overlap implementation](/contact.md): Review asset scope, payment-reporting facts, smart-device evidence, and next compliance actions with Sorena. ## Responsible-entity and critical-infrastructure asset check The SOCI branch should not start with a generic organisation name. Start with the asset and the person or organisation that owns or operates it. Home Affairs guidance describes a responsible entity as the individual or organisation that owns or operates a critical infrastructure asset, while the SOCI Act table of contents locates the detailed responsible-entity definition in section 12L and the critical-infrastructure asset definitions across the asset-class provisions. Once the asset and responsible entity are identified, check which SOCI obligation is in play. Part 2 concerns the Register of Critical Infrastructure Assets. Part 2A concerns the critical infrastructure risk management program. Part 2B concerns mandatory cyber incident reporting. The Application Rules are the source to check whether Part 2 or Part 2B applies to the relevant asset class. - Evidence to request: asset-class analysis, responsible-entity rationale, corporate ownership or operating-control evidence, service or system architecture, third-party data storage or processing dependency, and any prior SOCI register submission or update record. - Part 2 outcome: if the issue concerns register information or notifiable events, route it to the owner who maintains operational and ownership information for the Register of Critical Infrastructure Assets. - Part 2A outcome: if the issue concerns ongoing resilience, route it to the critical infrastructure risk management program owner and link the hazard, material-risk assessment, selected controls, and annual-report evidence. - Part 2B outcome: if the issue is a cyber incident affecting the asset, route it to the incident-reporting owner and keep the Part 2B report record separate from any ransomware payment report under the Cyber Security Act 2024. Sources for this answer: - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Supports the SOCI asset and responsible-entity triage fields and the distinction between Part 2, Part 2A, and Part 2B obligations. - [Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022](https://www.legislation.gov.au/F2022L00562/2022-04-06/text/original/word?ref=sorena.io) - Supports checking the Application Rules for asset classes captured by SOCI Part 2 register and Part 2B mandatory cyber incident reporting duties. - [Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 materials](https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/slacip-bill-2022?ref=sorena.io) - Supports the responsible-entity risk-management-program branch and the hazard categories used when SOCI Part 2A is in scope. ## Part 2B and ransomware-payment triage A SOCI Part 2B cyber incident report and a Cyber Security Act ransomware payment report are not substitutes. Part 2B belongs to the SOCI critical-infrastructure stream. The Cyber Security Act Part 3 stream applies when the ransomware-payment conditions are met: a reporting business entity is impacted by a cyber security incident and provides, or becomes aware that another entity provided on its behalf, a payment or benefit to the extorting entity. The ransomware payment record must be built quickly around what the reporting business entity knows or can find out by reasonable search or enquiry within the 72-hour reporting period. Keep the payment facts, demand facts, communications, and incident facts in that record even if a SOCI incident record, privacy record, or APRA incident record also exists. - Scope gate: identify whether the entity is a responsible entity for a critical infrastructure asset to which SOCI Part 2B applies, or is carrying on business in Australia above the ransomware-reporting turnover threshold. - Trigger gate: confirm a cyber security incident, the direct or indirect impact on the reporting business entity, the demand by the extorting entity, and the payment or benefit directly related to that demand. - Report content: capture ABN and address where required, incident timing and awareness, infrastructure and customer impact, ransomware or malware variant, exploited vulnerabilities, demand quantum and method, payment quantum and method, and communications with the extorting entity. - Overlap Cyber Security Act section 44 says information provided under Part 4 does not affect other Commonwealth information requirements, so do not close the SOCI Part 2B question merely because a ransomware report or coordinator information-sharing record exists. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports the Part 3 ransomware-payment trigger, the 72-hour reporting period, and the interaction rule preserving other incident-information obligations. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports the $3 million turnover threshold and report-content fields for ransomware payment reporting. - [Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022](https://www.legislation.gov.au/F2022L00562/2022-04-06/text/original/word?ref=sorena.io) - Supports checking whether SOCI Part 2B applies before relying on the responsible-entity limb of Cyber Security Act ransomware-reporting scope. ## Smart-device separation check The smart-device branch is product compliance, not critical-infrastructure asset classification. Use it for consumer grade relevant connectable products that can directly or indirectly connect to the internet and will be acquired in Australia by a consumer, subject to the product exclusions in the Rules. A smart product used inside a critical-infrastructure environment may create operational risk evidence for SOCI, but the statement-of-compliance and security-standard evidence remain product records. The Rules require a manufacturer-prepared statement of compliance for covered products and set product-security evidence around passwords, reporting security issues, and defined support periods for security updates. Suppliers have their own supply-side check because the Rules outline when non-compliant products must not be supplied and when products must be supplied with the statement of compliance. - Product scope evidence: product type, intended use, consumer-acquisition basis, direct or indirect internet connectivity, exemption analysis, manufacturer identity, supplier identity, and Australian supply channel. - Security-standard evidence: password design showing user-defined or unique-per-product passwords, published security-issue reporting contact and update process, and the defined support period for security updates. - Statement evidence: product type and batch identifier, manufacturer and authorised representative details, compliance declaration, defined support period, signatory, place and date of issue, and retention owner for the five-year statement period. - SOCI bridge: if the product is deployed in a critical-infrastructure asset, link the smart-device evidence into the SOCI material-risk or supplier-risk record without treating the product statement as proof that SOCI Part 2A or Part 2B is satisfied. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports the covered product class, exclusions, manufacturer and supplier obligations, statement contents, five-year retention period, and product-security evidence fields. - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Supports treating smart-device security standards as a Cyber Security Act Part 2 product-compliance stream rather than a SOCI asset-class decision. - [Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 materials](https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/slacip-bill-2022?ref=sorena.io) - Supports linking product or supplier risks into the SOCI risk-management program only when they affect a responsible entity's critical infrastructure asset. ## Evidence and owner matrix for the triage record A good SOCI overlap triage record should be useful after the incident or product release is over. It should show why a lane was opened or closed, who owned it, which official source supported the decision, what evidence was reviewed, and which record remains authoritative for later audit or regulator questions. Use a short matrix rather than a narrative memo. Each row should identify the lane, trigger fact, obligation checked, owner, evidence, source, decision, reviewer, and follow-up. Mark unknown facts as unknown and assign a collection owner instead of filling gaps with assumptions. - Legal or compliance owner: approves the SOCI asset, responsible-entity, Part 2, Part 2A, Part 2B, ransomware, and smart-device scope decisions against the cited sources. - Asset owner: confirms the critical-infrastructure asset, essential function, operational dependencies, third-party providers, and whether a hazard or incident has a relevant impact on the asset. - Security incident owner: maintains incident timing, impact, exploited vulnerabilities, malware or ransomware indicators, containment evidence, SOCI Part 2B report status, and other regulator-notification cross-references. - Product owner: maintains smart-device scope, manufacturer and supplier evidence, statement of compliance, password controls, vulnerability-reporting publication, and support-period publication. - Finance or procurement owner: confirms ransomware payment facts, payment maker, payment method, demand details, supplier role, and contracts that may affect evidence collection. Sources for this answer: - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Supports keeping SOCI evidence tied to the relevant asset, responsible entity, register, risk-management-program, incident-reporting, and protected-information provisions. - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Supports collecting ransomware payment, demand, communications, incident impact, ABN, address, malware, vulnerability, and payment-method evidence in the payment-reporting lane. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Supports assigning product-compliance evidence for covered smart devices to product and supply owners instead of SOCI incident owners. ## Primary sources - [Security of Critical Infrastructure Act 2018](https://www.legislation.gov.au/Details/C2018A00029?ref=sorena.io) - Primary SOCI source used for critical-infrastructure asset, responsible entity, Register of Critical Infrastructure Assets, Part 2A risk-management-program, Part 2B cyber incident, and protected-information structure. - Quote: "Part 2B--Notification of cyber security incidents" - [Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022](https://www.legislation.gov.au/F2022L00562/2022-04-06/text/original/word?ref=sorena.io) - Application Rules source used to support checking which asset classes are captured by SOCI Part 2 register and Part 2B mandatory cyber incident reporting obligations. - Quote: "Application of Part 2B of the Act" - [Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 materials](https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/slacip-bill-2022?ref=sorena.io) - Home Affairs source used for responsible-entity risk-management-program context and the cyber, supply-chain, physical, natural, and personnel hazard categories. - Quote: "cyber and information security hazards" - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/latest/text?ref=sorena.io) - Primary Cyber Security Act source used for smart-device security standards, ransomware payment reporting, significant incident coordination, and interaction with other incident-information requirements. - Quote: "Ransomware reporting obligations" - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/latest/text?ref=sorena.io) - Smart-device Rules source used for covered consumer grade relevant connectable products, manufacturer and supplier duties, statement contents, password rules, vulnerability-reporting publication, support periods, and five-year statement retention. - Quote: "Security standards for consumer grade relevant connectable products" - [Cyber Security (Ransomware Payment Reporting) Rules 2025](https://www.legislation.gov.au/F2025L00278/latest/text?ref=sorena.io) - Ransomware Rules source used for the $3 million turnover threshold, reporting-business-entity scope, and required payment-report fields. - Quote: "within the 72 hour time period for giving the report" ## Related Topic Guides - [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap. - [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records. - [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario. - [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks. - [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness. - [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review. - [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. - [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records. - [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records. - [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness. - [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records. - [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations. - [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain. - [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records. - [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules. - [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources. - [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules. - [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination. - [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence. - [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep. - [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow