Critical Infrastructure Risk Management Program (CIRMP)

About the Critical Infrastructure Risk Management Program (CIRMP)

Organisations with critical infrastructure are called responsible entities.

Since 2023, the following rules issued under the Security of Critical Infrastructure Act 2018 require that responsible entities for certain asset classes have a Critical Infrastructure Risk Management Program (CIRMP).

Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023(Opens in a new tab/window)
Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025(Opens in a new tab/window).

Your CIRMP must document controls for a range of hazards. For more information, visit the Critical Infrastructure Security Centre website(Opens in a new tab/window).

Critical worker risk management

Your CIRMP must identify the roles that are filled by your critical workers. These are the people who are essential to the proper functioning of your asset. Critical workers could be:

employees
contractors
agents
anyone else who has:
- unescorted access to the critical components of the asset
- control of the critical components of the asset
- management responsibilities of the critical components of the asset.

Your CIRMP must detail how you will minimise or eliminate material risks from critical workers. For certain asset classes, you can choose to use AusCheck background checks as a control to manage personnel risk. If you do, your CIRMP must specify you will use AusCheck background checks. This authorises AusCheck to do applicant background checks.

If AusCheck is not used for background checking, your CIRMP still needs to document what controls you will use to manage personnel risk.

Critical infrastructure asset classes

The legislation only allows AusCheck to conduct background checks on critical workers for these critical infrastructure asset classes:

broadcasting
domain name systems
data storage or processing
electricity
energy market operator
gas
liquid fuels
payment systems
food and grocery
designated critical hospitals
designated critical freight infrastructure
critical freight services
critical telecommunications assets
water.

If you choose to use AusCheck background checks

There is some extra information to include in a CIRMP that uses AusCheck background checks for critical workers.

Include how your responsible entity will:

manage a critical worker with an Adverse Security Assessment (ASA) or Qualified Security Assessment (QSA) as a result of the national security assessment by the Australian Security Intelligence Organisation (ASIO)
process suitability assessments for the critical worker
manage critical workers with an unfavourable criminal history
determine whether you will request more details about an unfavourable criminal history
manage circumstances when a person no longer requires a background check.

The CIRMP also needs to list who will engage with AusCheck.

Determine whether AusCheck is right for your CIRMP

Responsible entities decide whether AusCheck background checks are right for their CIRMP.

Watch the following videos for information. You can also find out more about our background checks.

Video about AusCheck’s background checks

Watch this video for an introduction to our background checks.

As the threats and risks to Australia’s critical infrastructure evolve, so too must our approach to ensuring the ongoing security and resilience of our critical infrastructure assets.
To mitigate the risks of trusted and malicious insiders within our critical infrastructure, AusCheck, the background checking branch within Home Affairs may be a suitable option for your organisation to perform background checks on ‘critical workers’ as part of your organisation’s risk management plan (RMP).
To gain unsupervised access to secure areas of aviation, maritime, security sensitive biological agents or major national event facilities, AusCheck coordinates criminal and national security background checking and confirms an individual’s identity.
AusCheck has been in operation since 2007 through a network of highly trained individuals who conduct background checking and identity verification across Australia.
Background checks ensure that people working at critical infrastructure sites, are less likely to pose a national security risk and a risk to the organisation they work for.
Benefits of an AusCheck background check include:
- an established, standard process for all
- a unique assessment that considers national security
- assessments of criminal history based on national risk
- protection of applicants’ rights
- a cyber-secure and efficient process
AusCheck is the only background checking service provider that can provide responsible entities with an ASIO national security assessment as part of the check
What is included in a background check
- A criminal history assessment by AusCheck, using information provided by the Australian Criminal Intelligence Commission (ACIC)
- A national security assessment by the Australian Security Intelligence Organisation (ASIO)
- A ‘right to work in Australia’ check if the critical worker is an Australian visa holder. This check is conducted through the Department of Home Affairs’ Visa Entitlement Verification Online (VEVO) system.
On average AusCheck finalises 80% of background checks within 2 weeks of receiving the application.
Keep your organisation safe from threats and risks with AusCheck background checks. Follow on in part two, to understand the application process in more detail.

Video about applying for an AusCheck background check

Watch this video for information about how critical workers apply for a background check.

How will your critical workers apply?
Once you have decided as a responsible entity to use AusCheck for background checking, you need to complete your Critical Infrastructure Risk Management Program (CIRMP) and document how you will deal with an adverse security assessment (ASA) or qualified security assessment (QSA) for a national security assessment for a critical worker.
A responsible entity needs a completed CIRMP before using AusCheck background checking for critical workers. Within your organisation’s risk management program you must detail how you will deal with a qualified or adverse security assessment of a critical worker.
Dealing with a qualified or adverse security assessment
If your critical worker has an adverse or qualified security assessment, your CIRMP will need to outline how you intend to manage that risk, that is, if you will decide it is appropriate to grant the worker escorted access to the critical infrastructure asset, or if any decisions need to be made under relevant employment laws such as the Fairwork Act.
Examples include
- Reassignment of the worker to another area of the business.
- Restriction of access to key components of the asset, such as in full or on a limited/controlled basis (for example being escorted)
- Implementing dual authorisation requirements for the worker
- Implementing restricted duties for the worker
- And in some cases, termination of the worker’s employment where that worker’s employment agreement permits such an action.
Your critical workers will need to setup a myID, their digital identity if they do not already have one.
Once setup with a myID, they can access the AusCheck portal.
They will need originals of their identification documents, such as, a drivers licence, birth certificate or valid passport and Medicare card to provide with their application.
Identity verification
The critical worker will also need to present their original identification documents in person and have their photo taken to have their identity verified.
If a critical worker believes AusCheck has applied the law incorrectly in their decision making process, they can appeal the background check decision through the Administrative Appeals Tribunal (AAT).
AusCheck maintains a secure database of applications and has protections in place to safeguard the data of individuals even after the background check outcome is determined.
Find out more
For more information go to AusCheck.

Onboard your responsible entity with AusCheck

Before a responsible entity can start using AusCheck background checking services, they must onboard with AusCheck. This process sets up their business and systems. It can take up to 6 months to onboard with AusCheck. The following steps outline the process.

First, email us at AusCheck@homeaffairs.gov.au. Tell us details about your organisation and asset/s. We'll help you decide whether AusCheck background checks are right for your CIRMP.
If you decide to use AusCheck background checks, we'll ask you to:
- sign a Deed of Confidentiality
- tell us about applicant estimates and schedule.
You must also update your CIRMP to confirm you'll be using AusCheck to perform background checks. Outline how you will manage critical workers who have findings in their background check.
Once you've signed the Deed of Confidentiality, we'll send you guidance material about the background check process. This includes an onboarding pack you need to complete.
Complete and submit the AusCheck onboarding pack. Once processed, we'll send you a unique responsible entity code. You will use this code to link critical worker applicants with your organisation.
AusCheck will work with you to:
- register your organisation for the relevant AusCheck portal
- do critical infrastructure background checks for your verifiers
- train your verifiers in their role.
Learn more about the verifier role in a CIRMP.
Once you're onboarded with AusCheck, you can start asking your critical workers to apply for a background check.

Application process for a background check

The following steps outline the background check application process. Learn more about roles for CIRMP.

Once the critical worker has submitted their application, the responsible entity must do the following.
1. Sign in to the employer portal to confirm the critical worker’s AusCheck background check is permitted in their CIRMP.
2. Give a statement to AusCheck about how they will deal with an Adverse Security Assessment (ASA) or Qualified Security Assessment (QSA) in their CIRMP.
The responsible entity will tell the critical worker how to book an appointment with their verifier.
The verifier meets with the critical worker and reviews their identity documents. The verifier must:
- sight documents and record this in the verifier portal
- take a photo of the critical worker and upload it to the verifier portal.
If a person’s identity cannot be verified, the background check cannot be completed.
Once the verifier has confirmed identity, AusCheck will arrange for background checks by our partner agencies.
- A National Coordinated Criminal History Check, by the Australian Criminal Intelligence Commission (ACIC).
- A National Security Assessment by the Australian Security Intelligence Organisation (ASIO).
- If the applicant isn't an Australian citizen and has a visa, a check of their right to work in Australia through Visa Entitlement Verification Online (VEVO) by the Immigration Group in the Department of Home Affairs.
Learn more about our background checks.
AusCheck reviews the findings of our partner agency checks. Possible outcomes include:
- No Disclosable Outcomes – no issues were identified.
- Unfavourable Criminal History – the criminal history check found the applicant has a CIRMP security-relevant offence.
- Right to Work Check – the applicant either 'meets statutory criteria' or 'does not meet statutory criteria' to work in Australia.
- Adverse Security Assessment – the National Security Assessment returned information that led ASIO to recommend the applicant not be given access to the critical infrastructure asset.
- Qualified Security Assessment – the National Security Assessment returned some information, but not to a level that would lead ASIO to formally recommend the applicant not be given access to the critical infrastructure asset.
If no issues were identified, the AusCheck system will automatically approve the applicant.
If the applicant has an adverse finding, AusCheck will tell the applicant first. The applicant will have the opportunity to respond before AusCheck decides on a final outcome.
Once AusCheck decides on a final outcome, we will email it to the responsible entity and the critical worker. This is also known as a Critical Infrastructure Background Check Outcome (CIBCO).
The CIBCO is a digital record of the background check result. It includes:
- the critical worker’s name and photo
- the date of application for the background check
- whether the critical worker has an unfavourable criminal history
- whether the critical worker has an adverse security assessment or qualified security assessment
- whether the critical worker holds a visa entitling the individual to work in Australia, and if so, the class of visa held.
The Australian Government doesn't decide who can be employed to work at a critical infrastructure asset. The responsible entity will assess if it's suitable for the critical worker to have access to their critical asset. To help them decide, they'll use:
- the outcome of the background check
- their CIRMP.
All other sources of information, and how they may be used as part of the decision-making process, should also be documented in the CIRMP.
This is the end of the application process.

Critical infrastructure background checking process overview and responsibilities

The graphic below shows the critical infrastructure background checking process and responsibilities.

A process diagram showing six stages with illustrated people performing tasks under different roles. Responsible Enti, Applicant, Verifier, AusCheck, Organising Body and Applicant

Billing

AusCheck invoices responsible entities on the 1st of each month for the background check applications submitted. Learn about our fees for background checks.