Data Centres &
Digital Infrastructure
Physical security advisory for data centre delivery: threat-based design review, SOCI-aligned risk assessment, and requirements assurance that stands up to tenant scrutiny, delivered across Australia and Asia-Pacific.
Where security meets uptime
Data centre security is pulled in three directions at once: SOCI obligations that make physical security a board-level compliance matter, hyperscale tenant requirements that arrive as non-negotiable specifications, and a delivery programme that cannot absorb late redesign.
- The common failure mode is overbuild: layering every requirement from every source without a threat basis, then paying for protection the risk assessment never justified. Each measure that cannot be traced to a risk is cost without a defence.
- SOCI and the CIRMP rules require documented management of physical security hazards. A generic checklist satisfies nobody; a threat-based risk position gives your compliance team something they can defend to the regulator and the board.
- Tenant security specifications set the floor, not the design. Meeting them efficiently, and justifying anything above them, requires a documented threat basis specific to the site and jurisdiction.
- Delivery moves fast. Security review that arrives after design freeze either delays the programme or gets waived. Both outcomes end up in the risk register.
How we work on data centre projects
-
Threat and risk basis specific to the site
HB167-aligned assessment covering the threat actors relevant to digital infrastructure — activism and protest, insider-enabled access, vehicle-borne threats, surveillance and reconnaissance — calibrated to site and jurisdiction. Every protective measure gets a documented justification; requirements that trace to no risk are flagged as candidates for removal. Security risk & threat analysis →
-
Independent design review
Peer review of protective security design against tenant requirements, SOCI CIRMP obligations, and the project's own risk position. Findings graded by materiality, not volume — the design team gets a short list of what matters, with the reasoning behind each finding. Protective design →
-
Requirements assurance through delivery
Individually tracked security requirements with designer responses and verification methods, so compliance is demonstrable at every design gate and at handover. The same traceability structure we run on transport and defence-adjacent projects, applied to data centre delivery. Systems & assurance →
-
Delivery across Asia-Pacific
Current advisory includes hyperscale campuses in Australia and Southeast Asia, working with owners' engineers and specialist assurance partners. Engagement details are held under confidentiality; references are available on request for qualified enquiries.
Frequently asked questions
Does the SOCI Act apply to data centres?
Yes. Data storage and processing is a designated critical infrastructure sector under the Security of Critical Infrastructure Act, and the CIRMP rules require documented management of physical and natural hazards. We translate that obligation into a threat-based risk position rather than a generic checklist, so the measures you fund are the measures the risk assessment justifies.
What does a physical security peer review of a data centre cover?
Threat basis, zoning and access strategy, perimeter and vehicle mitigation treatment, security systems architecture, and whether each measure traces to a requirement. The output is a graded findings register the design team can action, not a rewrite of the design.
Can you work within hyperscale tenant security requirements?
Yes. Tenant specifications set the floor. Our role is making sure the design meets them efficiently, and that anything above the floor has a risk-based justification your project can defend at investment review.
Do you work on data centres outside Australia?
Yes. Current data centre advisory spans Australia and Southeast Asia, delivered remotely and on site with the project's engineering and assurance teams.
Need security advisory for a data centre project?
Whether you're scoping a CIRMP, reviewing a protective design, or standing up requirements assurance for delivery, start with a 30-minute conversation.