Cyber Security Incident Response Plan and Exercise Framework

⁠⁠⁠1. Icon Water is considered a critical water asset for the purposes of the SOCI Act. Furthermore, as a water utility that holds licences to provide water and wastewater services, Icon Water is considered the ‘responsible entity’ for the critical water asset.

2. Key to this responsibility are the development and maintenance of:

• A risk management program,
• A cyber-security incident response plan, and
• A cyber-security incident response exercise program.

3. This procurement will bring in the required external expertise to develop and implement items 2 and 3 above. (Delivery of item 1 above is already in progress)

4. The requirement for this procurement is to provide Icon Water with:

• An updated Cyber-Security Incident Response Plan (CSIRP) tailored to Icon Water's current needs and obligations. The CSIRP will assume Icon Water is, or will be, complying with a direction from the Department of Home Affairs to adopt and maintain a cyber-security incident response plan and hence will be suitable for SOCI System of National Significance (SoNS) Enhanced Cyber-Security Obligations (ECSO) compliance and incident reporting purposes. The CSIRP will update, extend and enhance Icon Water's existing incident response plans and playbook; it will align with ACSC incident response planning guidance and with wider enterprise incident management system, that uses AIIMS.
• A robust cyber security incident response exercise program that will document the structure, participation requirements, exercise schedule, and incident scenario designs required to establish an effective regime of incident response exercises. This program will prepare the incident response team to respond in accordance with the CSIRP, as well as providing continuous improvement feedback on the CSIRP, incident response playbooks, and the incident response capability. (Note that some exercises under the program may include the participation of the Deloitte incident response team, procured separately under IW2023-10904.) Any contract or deed (as applicable) entered into as a result of this RFQ will be based on the Draft Conditions of Agreement set out in Part D of this RFQ. However, Icon Water may vary the terms and conditions (see clause 20).