Is your business required to adhere to APRA CPS 234?

Australian Prudential Regulation Authority (APRA)

APRA Prudential Standard CPS 234

The Australian Prudential Regulation Authority (APRA) developed the CPS 234 information security standard in response to the ever-increasing threat of cyber attack for the institutions for which it provides prudential standards.

We audit against APRA information security standards

The Australian Prudential Regulation Authority (APRA) developed the CPS 234 information security standard in response to the ever-increasing threat of cyber attack for the institutions for which it provides prudential standards.

The standard applies to any of the industries it regulates being:

It is also important to note that any third party that manages data assets that are the property of and/or associated with these entities are also bound by the standard. Furthermore, any foreign ADI’s and life and general insurers that have Australian branches must also adhere to the standard for their Australian operations.



We spend the time to learn about your business and your information security. Together we create a complete picture about you and the risks to your business.


With the information we have gathered from you and your information security controls we educate you on the risks we have identified and the steps required to resolve them.


From the recommendations in our audit report we work with your risk and compliance teams to deploy processes, training and systems as required.


We make sure that the work completed in the remediation has resolved any issues and we ensure that no new critical issues have arisen.

APRA Security Requirements

The standard clearly sets out information security requirements organisations must comply with in order to adhere to that standard. These requirements include:

The Responsibility of the Board

Boards need to understand their responsibilities when it comes to managing information security risks.

Information Security Capability

APRA-regulated entities are required to assess their security capability and that of third parties.

Policy Framework

Information security policy frameworks must be in place which are sufficient to vulnerability and threat exposures.

Information Asset Identification and Classification

Information assets must be classified by criticality and sensitivity, including those managed by third parties.

Implementation of Security Controls

APRA-regulated entities are required to maintain information security controls sufficient for their size, vulnerability and threat exposure.

Incident Management

Robust mechanisms must be in place to detect and respond to information security incidents, with plans for all plausible occurrences.

Testing Control Effectiveness

Systematic testing programs must be in place to regularly test the effectiveness of information security controls.


Clear roles and responsibilities with lines of the communication must be established and notification in the event of incident or control deficiencies.


APRA Annual External Testing

All of these items should also carry with them, at a minimum, annual external testing to ensure the various assets, controls and security levels are being achieved and are effective to the identified level of adequacy for the threat posed and data/information stored. This should form part of the organisations standard risk and assurance process and ensure vulnerabilities and threats are appropriately identified and managed across an information asset’s lifecycle. The standard also sets the custodian of information security to be the Board and Executive Leadership Team (ELT) and so reporting should be carried out at the correct level to ensure compliance.

Cecuri APRA Audit Process

The Cecuri team have developed an audit process and framework that allows any regulated entity to assess its current level of compliance with the standard, map out strengths and weaknesses and begin the task of constructing their own security framework that meets and exceeds the CPS 234 regulation. Our reporting structure covers both the Board reporting requirement in a format that will be familiar to any executive that deals with risk and assurance as well as detailed information for the security/technical team that will ultimately be tasked with ensuring the controls are configured and applied.

Depending on the organisations current security maturity as it relates to the CPS 234 standard, our engagements can be tailored to ensure the correct outcome is achieved and/or prepare an organisation for external audit and certification if required.


Security Solutions

Perfect for Small Businesses

Notifiable Data Breach Audit

Best for Medium Organisations

Cyber Health Assessment

Designed for Large Enterprises

Cyber Risk Audit

Scroll to top