If you work in critical infrastructure security in Australia, you've almost certainly encountered all three. SOCI comes up in compliance conversations. IEC 62443 comes up when vendors or engineers talk about securing control systems. NIST comes up when the cyber team references US frameworks. And somewhere in the background, ISO 27001 gets mentioned too.
The natural question is: which of these do I actually need to worry about, and how do they relate to each other?
The short answer is that only one of them is a legal obligation in Australia. The others are standards and frameworks — useful, widely adopted, and in some cases very good tools — but voluntary. Understanding the difference between a law and a framework is the single most important distinction to get clear before any of the technical detail matters.
SOCI: The Law
The Security of Critical Infrastructure Act is Australian legislation. If your organisation operates a designated critical infrastructure asset in one of the eleven covered sectors, you are legally required to comply with it. There is no opting in or out. Compliance is mandatory, enforced by a regulator, and non-compliance carries civil penalties.
Everything in the SOCI framework — registering your assets, maintaining a CIRMP, reporting significant incidents within 12 hours — is a legal obligation, not a best-practice recommendation.
This is the starting point for any Australian critical infrastructure operator. Before asking whether IEC 62443 or NIST applies to you, the question is whether SOCI applies to you — and for most organisations operating at scale in covered sectors, it does.
NIST Cybersecurity Framework: The Widely-Adopted Voluntary Standard
The NIST Cybersecurity Framework — currently at version 2.0, released in 2024 — was developed by the US National Institute of Standards and Technology. It's not a US law, and it has no binding force in Australia. But it's been widely adopted globally as a structured way to think about and communicate cybersecurity risk management.
The framework organises cybersecurity activities around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. These give organisations a common language for discussing where they are in their security maturity and what they need to work on.
The NIST CSF is primarily oriented toward information technology and enterprise cyber security. It's useful for any organisation wanting a structured framework for managing cyber risk, and it maps reasonably well to the cyber security requirements in a SOCI CIRMP. But it was built for a broad audience — not specifically for industrial environments or operational technology.
If your organisation uses NIST CSF as the underlying structure for your cyber security program, that's entirely compatible with meeting your SOCI obligations. NIST doesn't replace SOCI; it can inform how you build and document the cyber security component of your CIRMP.
IEC 62443: The OT-Specific Standard
IEC 62443 — developed through the International Electrotechnical Commission, originally based on ISA standards — is specifically designed for industrial automation and control systems security. Unlike NIST CSF, which was built for broad application, IEC 62443 was written for the world of PLCs, SCADA systems, distributed control systems, and the operational technology environments that critical infrastructure runs on.
It's a multi-part standard covering different aspects of OT security: security management systems, security programs for asset owners, requirements for system integrators who design and build control systems, and security requirements for the components themselves.
IEC 62443 introduces the concept of security levels — from SL 0 (no specific requirements) through to SL 4 (protection against state-sponsored attacks) — which gives operators a way to assess what level of protection is appropriate for different parts of their environment based on the risk they carry.
Like NIST CSF, IEC 62443 is a voluntary standard, not Australian law. But it's increasingly referenced in procurement requirements, vendor contracts, and industry expectations for OT environments — particularly in energy, resources, and manufacturing sectors.
For organisations managing complex OT environments, IEC 62443 is probably the most directly relevant international standard to your actual operational risk. It speaks the language of control systems engineering in a way that a general IT security framework doesn't.
ISO 27001: The Information Security Management Standard
ISO 27001 gets mentioned alongside these others because it's widely recognised and many organisations already hold a certification against it. It's an international standard for information security management systems — essentially a framework for how organisations govern and manage information security overall.
ISO 27001 is primarily an IT and information-focused standard. It's useful, and certification against it is a reasonable signal of information security maturity. But it wasn't designed for OT environments, and it doesn't map neatly to the specific requirements of critical infrastructure risk management.
Holding an ISO 27001 certification does not mean you've met your SOCI CIRMP obligations — the scope, approach, and requirements are different enough that the two shouldn't be conflated.
How They Actually Relate
Think of it this way:
SOCI tells you what you're legally required to do as an Australian critical infrastructure operator. It sets the obligation.
IEC 62443 and NIST CSF give you structured methodologies and best-practice frameworks for how to do it — particularly for the cyber security and OT security components of your risk management program.
ISO 27001 addresses your information security management more broadly — useful context, but not a substitute for either of the above in a critical infrastructure context.
None of these are mutually exclusive. An organisation that uses IEC 62443 as the framework for securing its OT environment, NIST CSF for its broader cyber program, and meets its SOCI CIRMP obligations is doing all three things simultaneously — and doing them well. The frameworks support each other rather than compete.
What This Means Practically
If you're an Australian critical infrastructure operator, your first compliance question is SOCI. That's the legal baseline.
Once you're meeting your SOCI obligations, IEC 62443 is worth understanding if you operate significant OT infrastructure — it's increasingly the language that OT security conversations happen in, and understanding it helps you evaluate vendors, assess your control system security posture, and communicate risk in terms engineers recognise.
NIST CSF is a useful common language for broader cyber security conversations — particularly if you're working with US partners, US vendors, or government agencies that reference it.
The frameworks exist to help you manage risk, not to compete for compliance budget. Understanding what each one is — and which ones are actually mandatory versus optional — is the foundation for using them productively rather than being overwhelmed by alphabet soup.
The SOCI Brief covers Australian critical infrastructure security weekly. [Subscribe here.]