CPS234
Getting Started Guide

Prudential Standard CPS 234 Information Security

Mandatory information security standard for APRA-regulated entities in Australia.

Audit Effort6–9 months for program alignment
Key FactStrict mandatory notification of security incidents to APRA within 72 hours.

What Is CPS 234?

Prudential Standard CPS 234 (Information Security) is a binding regulatory standard issued by the Australian Prudential Regulation Authority (APRA). Its objective is to ensure that APRA-regulated entities maintain information security capabilities commensurate with their vulnerabilities and threats.

CPS 234 applies to authorized deposit-taking institutions (ADIs like banks), general insurers, life insurers, private health insurers, and superannuation funds in Australia.

A key feature of CPS 234 is the explicit responsibility it places on the Board of Directors of an APRA-regulated entity, stating that the Board is ultimately responsible for the information security of the entity.

Does CPS 234 Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

APRA-Regulated Entities

Banks, insurers, and superannuation funds operating in Australia must fully comply with CPS 234.

Mandatory

SaaS Vendors to Australian Banks

If you provide technology services to an APRA-regulated entity, they must ensure you have controls in place that meet CPS 234 requirements.

Mandatory

FinTech Startups (ANZ)

Any FinTech seeking to partner with or sell into the established Australian financial system will be audited against CPS 234.

Highly Recommended
You probably don't need CPS 234 if:
  • Software companies that do not serve the Australian financial or insurance sectors.
  • Organizations outside of APRA's regulatory purview (though other Australian privacy laws may apply).

Why CPS 234 Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

APRA Enforcement Focus

APRA has repeatedly warned that boards are not taking cyber risk seriously enough and is actively requesting independent CPS 234 audits from regulated entities.

Third-Party Risk

Regulators are clamping down on third-party risk. APRA expects regulated entities to actively test the security of their technology supply chains.

Strict 72-Hour Reporting

Information security incidents that materially affect the entity must be reported to APRA within 72 hours, requiring tight operational incident response.

The Requirements

The core security controls and evidence parameters audited for CPS 234.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for CPS 234.

1
Weeks 1-4

Asset Classification & Gap Analysis

Identify and classify all information assets. Perform a gap analysis against CPS 234 requirements.

Key Deliverable:Asset Register, Gap Analysis Report
2
Weeks 5-10

Policy Framework & Control Design

Update the Information Security Policy framework. Ensure Board reporting mechanisms are established.

Key Deliverable:Updated IS policies, Board reporting templates
3
Weeks 11-16

Control Testing & Implementation

Implement necessary technical controls and establish a systematic testing program.

Key Deliverable:Control testing schedule, technical implementation evidence
With Existing Certifications

6-8 weeks: If you have ISO 27001, you meet most control requirements. Focus on the explicit Board responsibility documentation, incident reporting timelines to APRA, and specific asset classification definitions.

Starting from Scratch

4-6 months: Establishing a robust information security capability, testing program, and Board reporting structure requires significant organizational effort.

The Mistakes That Delay Most CPS 234 Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Treating it just as an IT problem

Why it happens:

CPS 234 explicitly puts the ultimate responsibility on the Board. If the Board is not actively reviewing cyber risk, you are not compliant.

How to avoid it:

Ensure cyber security is a standing agenda item for the Board Risk Committee.

Failing to classify assets properly

Why it happens:

Controls must be commensurate with the criticality and sensitivity of the asset. Without a comprehensive classification, you cannot prove controls are appropriate.

How to avoid it:

Build a robust Information Asset Register that ties every asset to a classification level and defined security controls.

Inadequate testing

Why it happens:

APRA expects systematic, regular testing of control effectiveness, not just an annual penetration test.

How to avoid it:

Implement a continuous or scheduled internal control testing program beyond just technical vulnerability scans.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

CPS 234 Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

CPS 234 Checklist

Assess your baseline control posture against CPS 234 criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about CPS 234 compliance and certification processes.