Prudential Standard CPS 234 Information Security
Mandatory information security standard for APRA-regulated entities in Australia.
What Is CPS 234?
Prudential Standard CPS 234 (Information Security) is a binding regulatory standard issued by the Australian Prudential Regulation Authority (APRA). Its objective is to ensure that APRA-regulated entities maintain information security capabilities commensurate with their vulnerabilities and threats.
CPS 234 applies to authorized deposit-taking institutions (ADIs like banks), general insurers, life insurers, private health insurers, and superannuation funds in Australia.
A key feature of CPS 234 is the explicit responsibility it places on the Board of Directors of an APRA-regulated entity, stating that the Board is ultimately responsible for the information security of the entity.
Does CPS 234 Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
APRA-Regulated Entities
Banks, insurers, and superannuation funds operating in Australia must fully comply with CPS 234.
SaaS Vendors to Australian Banks
If you provide technology services to an APRA-regulated entity, they must ensure you have controls in place that meet CPS 234 requirements.
FinTech Startups (ANZ)
Any FinTech seeking to partner with or sell into the established Australian financial system will be audited against CPS 234.
- Software companies that do not serve the Australian financial or insurance sectors.
- Organizations outside of APRA's regulatory purview (though other Australian privacy laws may apply).
Why CPS 234 Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
APRA Enforcement Focus
APRA has repeatedly warned that boards are not taking cyber risk seriously enough and is actively requesting independent CPS 234 audits from regulated entities.
Third-Party Risk
Regulators are clamping down on third-party risk. APRA expects regulated entities to actively test the security of their technology supply chains.
Strict 72-Hour Reporting
Information security incidents that materially affect the entity must be reported to APRA within 72 hours, requiring tight operational incident response.
The Requirements
The core security controls and evidence parameters audited for CPS 234.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for CPS 234.
Asset Classification & Gap Analysis
Identify and classify all information assets. Perform a gap analysis against CPS 234 requirements.
Policy Framework & Control Design
Update the Information Security Policy framework. Ensure Board reporting mechanisms are established.
Control Testing & Implementation
Implement necessary technical controls and establish a systematic testing program.
With Existing Certifications
6-8 weeks: If you have ISO 27001, you meet most control requirements. Focus on the explicit Board responsibility documentation, incident reporting timelines to APRA, and specific asset classification definitions.
Starting from Scratch
4-6 months: Establishing a robust information security capability, testing program, and Board reporting structure requires significant organizational effort.
The Mistakes That Delay Most CPS 234 Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Treating it just as an IT problem
CPS 234 explicitly puts the ultimate responsibility on the Board. If the Board is not actively reviewing cyber risk, you are not compliant.
Ensure cyber security is a standing agenda item for the Board Risk Committee.
Failing to classify assets properly
Controls must be commensurate with the criticality and sensitivity of the asset. Without a comprehensive classification, you cannot prove controls are appropriate.
Build a robust Information Asset Register that ties every asset to a classification level and defined security controls.
Inadequate testing
APRA expects systematic, regular testing of control effectiveness, not just an annual penetration test.
Implement a continuous or scheduled internal control testing program beyond just technical vulnerability scans.
Rishabh's Take on CPS 234
Practitioner Voice“If you're selling into the Australian financial sector, understanding CPS 234 is non-negotiable. Australian banks will heavily scrutinize your controls because APRA is scrutinizing them. The best way to align with CPS 234 as a vendor is to hold a strong ISO 27001 certification and be able to clearly articulate how your incident response processes allow your banking clients to meet their 72-hour APRA reporting obligations.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
CPS 234 Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
CPS 234 Checklist
Assess your baseline control posture against CPS 234 criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about CPS 234 compliance and certification processes.