Compliance · APRA CPS 234
CPS 234 compliance, without the scramble.
CPS 234 is APRA's information security standard, and it applies with equal force to the smallest regulated entity and the service providers holding their data. Here is what it requires, and how to close the gap with evidence rather than assurances.
IronSights runs CPS 234 gap assessments, independent control testing, and the ongoing monitoring that turns the 72-hour notification clock from a threat into a procedure.
Who it applies to
Wider than most businesses assume.
APRA-regulated entities
Banks and ADIs, general, life, and private health insurers, and RSE licensees (superannuation trustees), of every size, not just the majors.
Smaller regulated entities
CPS 234 has no small-entity carve-out. A boutique insurer or small super trustee carries the same obligations as a big four bank, with a fraction of the security headcount.
Service providers to regulated entities
If a regulated entity's information assets sit with you (as their administrator, software provider, adviser network, or outsourced back office), their CPS 234 obligations reach into your environment through contract and assurance requests.
The obligations
What CPS 234 requires.
Eight obligations, from board accountability through to the 72-hour incident notification. For the full plain-English walkthrough, read our CPS 234 explainer.
Board accountability
The board is ultimately responsible for information security. 'IT handles that' is not an acceptable answer to APRA.
Security capability
Your security capability must match the size and extent of the threats to your information assets, and keep pace as they change.
Policy framework
A maintained information security policy framework, proportionate to your exposures, covering staff and third parties.
Asset classification
Information assets identified and classified by criticality and sensitivity, including the ones your vendors hold.
Controls implementation
Controls in place to protect assets, commensurate with the threats, tested through their lifecycle.
Systematic testing
Controls tested on a systematic schedule by functionally independent, appropriately skilled testers.
Internal audit
Internal audit must review the design and operating effectiveness of controls, including those run by third parties.
Incident notification
Material incidents notified to APRA within 72 hours. Material control weaknesses within 10 business days.
How we help
From gap assessment to standing evidence.
Built for the smaller regulated entities and service providers that carry big-bank obligations without big-bank security teams.
CPS 234 gap assessment
Every obligation in the standard mapped against your current state, with a prioritised remediation plan the board can read.
Control testing
The systematic, independent testing the standard requires: penetration testing and control validation, mapped back to CPS 234 clauses.
Incident readiness
A response plan that meets the 72-hour notification clock, tested before you need it. Incident response support when something happens.
Ongoing assurance
Managed security with monthly board-ready reporting, so the evidence APRA and your auditors ask for already exists.
Common questions
CPS 234, in plain terms.
Working through an APRA request or a client questionnaire right now? Talk to us — we've answered most of them before.
What is CPS 234?
CPS 234 Information Security is a prudential standard issued by the Australian Prudential Regulation Authority (APRA), in force since 1 July 2019. It requires APRA-regulated entities to maintain an information security capability commensurate with their threats, classify their information assets, implement and systematically test controls, and notify APRA of material incidents within 72 hours.
Who does CPS 234 apply to?
All APRA-regulated entities: authorised deposit-taking institutions, general insurers, life insurers, private health insurers, and RSE licensees in superannuation. There is no exemption for smaller entities. Its reach also extends practically to third parties that manage information assets on a regulated entity's behalf, because the entity must assess and rely on those parties' controls.
We're a service provider to a bank or super fund, not APRA-regulated. Does CPS 234 affect us?
Yes, contractually. Regulated entities must evaluate the information security of parties that hold their assets, so their obligations arrive in your inbox as security questionnaires, audit clauses, control attestations, and incident notification requirements. Being able to demonstrate tested controls is increasingly the price of keeping those contracts.
What has to be reported to APRA, and how fast?
Two things. Material information security incidents must be notified within 72 hours of becoming aware, including incidents at your third parties. Material control weaknesses that cannot be remediated in a timely way must be notified within 10 business days of identification. Both timeframes assume you have the detection capability to know in the first place.
How does CPS 230 relate to CPS 234?
CPS 230 Operational Risk Management commenced on 1 July 2025 and sits alongside CPS 234. CPS 230 governs operational resilience and service provider management broadly; CPS 234 remains the specific information security standard. In practice the two overlap heavily on third-party risk, and uplift work should satisfy both rather than treating them as separate projects.
What does a CPS 234 gap assessment involve?
We map every obligation in the standard — governance, capability, policy, classification, controls, testing, audit, and notification — against your current state, with evidence. You get a board-ready report showing where you stand, what needs to change, and in what order. For most smaller regulated entities it takes two to four weeks.
First step
Know where you stand before APRA asks.
A CPS 234 gap assessment in two to four weeks: every obligation mapped, evidence gathered, and a board-ready remediation plan.
