APRA CPS 234 Explained: Information Security Obligations
CPS 234 in practitioner terms: capability, classification, control-effectiveness testing, third-party assurance, notification clocks, and the CPS 230 interlock.
CPS 234 has been in force since 2019, yet it remains the standard APRA-regulated entities most consistently under-deliver against — not because its requirements are obscure, but because several of them are operationally demanding in ways that only show up under scrutiny. Here is what the standard actually asks, in practitioner terms.
Who it applies to, and who is accountable
CPS 234 applies to APRA-regulated entities — authorised deposit-taking institutions, insurers and RSE licensees — and it places accountability for information security squarely with the board. That framing shapes everything else: the obligations below are not IT deliverables; they are board assurance questions.
The core obligations
- Capability commensurate with threat. The entity must maintain information security capability proportionate to the size and extent of threats to its information assets. “Commensurate” is the operative word — capability is judged against your threat profile, not an absolute bar.
- Policy framework. A structured information security policy framework covering the security of information assets, aligned to the entity’s exposures.
- Identification and classification. Information assets identified and classified by criticality and sensitivity — including assets managed by related and third parties. You cannot protect, test or report on assets you have not enumerated.
- Controls, tested for effectiveness. Controls implemented to protect assets in accordance with their classification — and systematically tested for effectiveness, through a program whose nature and frequency reflect the rate of change in threats and vulnerabilities. Testing existence is not testing effectiveness; this distinction is where many programs fall short.
- Third-party assurance. Where assets are managed by service providers, the entity must evaluate the provider’s information security capability and controls. Contracts alone do not discharge this.
- Incident response and notification. Mechanisms to detect and respond to incidents in a timely manner, plus the two notification duties practitioners must know cold: material information security incidents must be notified to APRA as soon as possible and no later than 72 hours after the entity becomes aware; material control weaknesses that cannot be remediated in a timely way must be notified within 10 business days.
- Internal audit. The design and operating effectiveness of controls, including those of third parties, fall within internal audit’s review scope.
The CPS 230 interlock
Since 1 July 2025, CPS 230 has wrapped operational risk management, service-provider management and operational resilience around the same estate. In practice the two standards now interlock: the asset and provider registers, control testing and incident mechanisms built for CPS 234 feed directly into CPS 230’s critical-operations and tolerance framing. Entities that built CPS 234 compliance as documentation rather than capability are finding CPS 230 exposes the difference.
Where entities under-deliver
Four patterns dominate independent reviews: asset classification that stopped at the CMDB and never reached information assets held by third parties; control-effectiveness testing that is really an annual policy attestation; third-party “assurance” that is a clause in a contract rather than an evaluated capability; and incident notification processes that have never been rehearsed against the 72-hour clock.
Key takeaways
- CPS 234 is a board accountability standard; treat its obligations as assurance questions, not IT tasks.
- Effectiveness testing and third-party assurance are the two obligations most often under-delivered.
- Know the notification clocks: 72 hours for material incidents, 10 business days for unremediable material control weaknesses.
- CPS 230 now stress-tests whether your CPS 234 program is capability or paperwork.
See where CPS 234 sits in the wider Australian compliance landscape, or engage HEXOSYS for an independent CPS 234 control-effectiveness review.