APRA CPS 234 Information Security

August 16, 2020

APRA CPS 234 vs existing international information security standards

 APRA’s new mandatory Prudential Standard, CPS-234,  commenced on 1 July 2019.  

It specifies new cybersecurity requirements to ensure APRA-regulated entities tighten their cyber security against information security incidents(including cyber attacks). But does it go far enough?

The regulation seeks to minimise the likelihood of and impact of information security incidents concerning confidentiality, integrity and information systems, by ensuring information security capability is commensurate with information security vulnerabilities and threats.

InfoSecAssure reviewed this regulation against requirements set by many other industry bodies,including but not limited to: ISO 27001, NIST Cyber Security Framework, SOC2 Trust Services Criteria and The Australian Government Information Security Manual (ISM). We found that APRA CPS-234 regulations are very light on defining the broad range of security controls likely required to appropriately protect your organisation however they have a specific focus on the supply chain more than other standards.

The graph above shows the volume of controls/requirements per control category.  InfoSecAssure have aligned all controls, requirements and/or recommendations set by each industry framework/standard into a common set of control categories for over 20 industry and government frameworks and standards.  Contact us today for more insights into our work.

Security policies based solely on CPS-234 may omit critical aspects of an information security management plan necessary to keep your organisation safe.

InfoSecAssure, has developed a comprehensive of questions to help guide your organisation in becoming APRA CPS 234 compliant.  

Contact InfoSecAssure today for access to our full, detailed guidelines for implementing APRA 234, including templates. Or for general advice on how to deliver APRA CPS-234 as part of your overall information security program.

Secure your business.


confidence or certainty in one's own abilities.

“The business has given us assurance that they have security in place to protect our information”

Our Difference

Established and lead by industry experts.

At the helm of our privately owned, global RegTech firm are industry experts who understand that security controls should never get in the way of business growth. We empower companies large and small to remain resilient against potential threats with easily accessible software solutions for implementing information security governance, risk or compliance measures.

We support businesses every step of the way.

We don't just throw a bunch of standards at you and let you try and figure it out! We have designed a thoughtful way of supporting all businesses consider, articulate and develop security controls that suit the needs of the organisation and provide clever reporting capability to allow insights and outcomes from security assessments to be leveraged by the business and shared with third parties.

Our customers are the heart of our company.

Our platform places customers at the heart of our design process, while providing access to expert knowledge. With simple navigation and tangible results, we guarantee that all data is securely encrypted at-rest and in transit with no exceptions – meeting international standards with annual security penetration testing and ISO 27001 Certification.