BlogSecurity
July 21, 2025

How to implement CPS 234: A 7-step compliance guide

Written by
Vanta
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

In 2024, Vanta’s State of Trust Report found that cybersecurity threats were the number one concern for Australian organisations. To mitigate such threats, the Australian Prudential Regulatory Authority (APRA) developed CPS 234—a robust security framework that all APRA-regulated entities must implement.

CPS 234 addresses virtually all aspects of an entity’s security infrastructure, so implementation can be challenging without guidance.

To give you a starting point, this article will cover:

  • The meaning and purpose of CPS 234
  • An overview of the framework’s structure
  • Actionable implementation steps

What is CPS 234?

CPS 234 is a prudential standard issued by APRA that mandates cyber resilience requirements for regulated entities. It came into effect in 2019 as the Authority’s response to the increasing number and sophistication of cybersecurity threats.

Organisations in the finance and insurance sectors are particularly susceptible to such threats, so APRA enforces strict requirements through CPS 234 to help them improve their security posture and reduce various risks, most notably:

  • External security attacks
  • Breaches and leaks of sensitive data
  • Security concerns caused by the internal teams’ negligence

{{cta_withimage40="/cta-blocks"}}

Where does CPS 234 fit in with other CPS standards?

CPS 234 is a standalone standard that complements CPS 230, which broadly covers operational risk, including technology risk. CPS 230 came into force on 1 July 2025 and replaced five other standards, specifically CPS 231 (Outsourcing), SPS 231 (Outsourcing), HPS 231 (Outsourcing), CPS 232 (Business Continuity Management), and SPS 232 (Business Continuity Management).

Who needs CPS 234 compliance?

CPS 234 outlines five categories of entities that must achieve compliance with the standard:

  1. Authorised deposit-taking institutions (ADIs)
  2. General insurers
  3. Life companies
  4. Private health insurers registered under the Private Health Insurance (Prudential Supervision) PHIPS Act
  5. Registrable Superannuation Entities (RSE), licensees under the Superannuation Industry (Supervision) SIS Act

Applicability is clearly defined, which makes it easy to understand how CPS 234 affects your organisation and ensure it meets all the necessary obligations. If you work with third parties that can access in-scope sensitive data, the framework’s requirements extend to all of them, including organisations outside of Australia. 

How CPS 234 applies to third parties and international vendors

Third parties, including those outside Australia, are not directly subject to CPS 234 but may be contractually required to demonstrate control effectiveness aligned with CPS 234, as determined by the APRA-regulated entity they serve.

Examples of such organisations include:

  • A U.S.-based fintech offering cloud-based lending platforms to Australian banks
  • A U.S.-based data analytics provider processing superannuation data
  • A cybersecurity vendor monitoring Australian insurer infrastructure remotely

In any of the above cases (and other scenarios involving foreign data storage), organisations must check and implement the necessary controls aligned with CPS 234.

Doing so might be particularly challenging for organisations governed by the Clarifying Lawful Overseas Use of Data (CLOUD) Act. While it doesn’t ​​directly contradict CPS 234, it might cause a potential conflict for Australian entities using cloud services from U.S.-based providers.

The CLOUD Act allows U.S. law enforcement access to data held by U.S.-based providers, even when that data is stored overseas. As such, Australian organisations using these services must ensure CPS 234’s confidentiality and sovereignty requirements are not compromised. This involves a careful balance between CPS 234 and CLOUD Act compliance.

As you don’t have much control over third parties’ security postures, as a regulated entity you should enforce CPS 234 compliance through legal agreements and contract terms that specify the standard’s implementation.

To outline all the necessary terms, consider the types of data you’ll be storing with the vendor. You should then assess the impact of a potential incident on your organisation or product operations to inform the risk severity of that vendor.

{{cta_withimage22="/cta-blocks"}}

CPS 234 controls

CPS 234 outlines nine core requirement areas, each of which implies a set of control expectations that organisations must implement based on their risk environment:

  1. Roles and responsibilities
  2. Information security capability
  3. Policy framework
  4. Information assets identification and classification
  5. Implementation of information security controls
  6. Incident management
  7. Testing control effectiveness
  8. Internal audit
  9. APRA notification

The requirements are clear and prescriptive, and they’re designed to achieve the framework’s key objectives:

  • Clearly defining the security-related roles and responsibilities
  • Maintaining a robust information security capability corresponding with data criticality and sensitivity
  • Implementing adequate controls to protect the organisation’s information assets
  • Notifying APRA of relevant security incidents

Besides clarity, a notable advantage of CPS 234 requirements is their close relationship with ISO 27001 controls. If you’ve already fully adopted ISO 27001, you should achieve CPS 234 compliance more efficiently through effective control mapping.

CPS 234 non-compliance penalties

Given APRA’s increased supervisory attention on cyber resilience, regulated entities should expect greater scrutiny and more proactive enforcement of CPS 234 requirements.

The fine for non-compliance is not explicitly stated in the CPS 234 itself. Instead, penalties are determined under the broader acts relevant for the entity, for example Banking Act, Insurance Act, Life Insurance Act, and Superannuation Industry (Supervision) Act. Depending on the type of regulated entity, penalties can include enforceable undertakings, directions, or, in serious cases, civil or criminal proceedings.

Your business could also suffer additional issues like:

  • Legal escalations
  • Loss of business
  • Reputational damage

7 steps to CPS 234 compliance

Regardless of the applicability category your organisation falls into, you can achieve CPS 234 compliance and manage your business risk by taking these steps:

  1. Establish roles and responsibilities
  2. Develop and maintain information security capability
  3. Establish a comprehensive policy framework
  4. Identify and classify information assets
  5. Implement robust controls
  6. Develop incident management procedures
  7. Perform regular internal audits

The following sections will outline each step with the key action items.

Step 1: Establish roles and responsibilities

Section 13 of CPS 234 requires clearly defined roles and responsibilities of the Board, senior management, IT staff, and other relevant personnel. Still, the main focus remains on the Board, which is ultimately responsible for the organisation’s information security.

That’s why it’s crucial to get the buy-in of high-level executives before developing the CPS 234 implementation strategy. They must understand their responsibilities and the consequences of any violations.

As per Section 13, the Board must implement and maintain security controls corresponding to information security threats. This implies that you must first understand your threat landscape by conducting the necessary security reviews and risk assessments.

To streamline the process, you can develop dedicated committees like the information security steering committee and risk management committee. They should conduct the necessary assessments and advise the Board on the controls that must be implemented.

Step 2: Develop and maintain information security capability

After understanding your organisation’s risk profile and security landscape, perform a comprehensive assessment of the existing security capabilities to identify compliance gaps. Review your policies, processes, and procedures to highlight weak spots and prioritise them according to urgency.

CPS 234 requires organisations to extend this process to all third parties managing their information assets, including:

  • Cloud providers
  • Payment processors
  • SaaS platforms with access to sensitive data

Once you’ve performed the necessary assessments, use the results to establish and oversee capabilities in areas like:

  • Vulnerability and threat management
  • Situational awareness
  • Secure design
  • Incident responses

Step 3: Establish a comprehensive policy framework

CPS 234 requires organisations to build and maintain an information security policy proportional to relevant threats and risk exposure of their environment. Much like security controls, this policy (Section 18) must be aligned with the extent of the security threats and their impact on the organisation’s operational stability.

The policy should encompass all the relevant security procedures and measures, such as:

As your organisation’s security evolves continuously, your implemented CPS 234 controls shouldn’t remain static. Instead, set up regular reviews and assessments of the current threat landscape to adapt your policies accordingly.

Organisation-wide security awareness is crucial to effective implementation, so communicate the policies to relevant team members at all levels. You should also set up adequate training initiatives that demonstrate security policies in real-life settings to help your team apply policy principles in their daily work.

{{cta_withimage22="/cta-blocks"}}

Step 4: Identify and classify information assets

To effectively protect information assets, you must inventory and classify them according to their criticality and sensitivity. This applies to internal assets as well as those managed by third parties, which you should pay particular attention to due to the expanded threat landscape.

CPS 234 Section 20 requires organisations to implement controls based on the classification of  assets according to a potential incident's financial or non-financial impact. This impact doesn’t only encompass the organisation itself but also the key stakeholders, most notably:

  • Policyholders
  • Depositors
  • Beneficiaries
  • Other customers

As your security landscape changes, you must revisit and reclassify assets if needed. Besides regular reviews, make sure to conduct reassessments after the following scenarios:

  • Realised security threats
  • Onboarding/offboarding new vendors with access to information assets
  • Notable changes to the IT infrastructure

Step 5: Implement robust controls

CPS 234 requires organisations to develop and enforce security controls that correspond to:

  • An information asset’s vulnerabilities and threats
  • Criticality and sensitivity
  • The lifecycle stage of the information asset
  • Potential consequences of a security incident

Regardless of your specific workflows, a recommended best practice is to implement these controls across your development, testing, and production environments because threats can arise in each.

As security controls of your third parties directly impact your security posture, CPS 234 requires organisations to review them. If you notice any deficiencies, you can correct them by adjusting the contract terms to enforce specific controls.

Your security controls must keep up with the changes in your risk profile and security landscape, so review them regularly to see if any adjustments are needed.

Step 6: Develop incident management procedures

As per Sections 23-25 of CPS 234, organisations must develop effective procedures for detecting and responding to security incidents. While CPS 234 does not prescribe a specific process, industry best practices—such as those from NIST and SANS—recommend covering the following six stages:

  1. Detection
  2. Analysis
  3. Containment
  4. Eradication
  5. Recovery
  6. Post-incident review

The specifics of your procedures will depend on your workflows and IT infrastructure, but they must all serve a single goal—responding to incidents swiftly and with minimal damage.

You also need to develop clear procedures for escalating and reporting incidents to the Board and other relevant stakeholders. This will require you to have effective communication channels throughout the organisation and clearly defined reporting responsibilities.

If an incident happens, you must notify APRA within 72 hours and provide notifications of control weaknesses that can result in an incident within 10 business days. This means that you need a clear external notification process, in addition to effective internal communication channels you may have.

The timelines to report incidents are strict. Building an Incident Response Plan, which includes reporting to APRA, will help you predefine what constitutes a material incident and who on your team should make the final call. It’s a valuable resource when handling security incidents.”

Evan Rowse
GRC Subject Matter Expert, Vanta
|
LinkedIn

CPS 234 Section 26 requires organisations to review their incident response procedures annually to ensure ongoing effectiveness. Besides the related policy reviews, you should set up simulations to ensure the procedures stay effective in real-life settings.

Step 7: Perform regular internal audits

There’s no formal CPS 234 compliance process, and APRA doesn’t award any explicit certifications. Instead, you must self-assess your security posture against its requirements and bridge any gaps effectively.

As there are also no recertifications, you must maintain your controls indefinitely to ensure ongoing compliance. This calls for an effective internal audit process that lets you regularly audit the design and operating effectiveness of information security controls.

This is often one of the most challenging aspects of CPS 234 compliance for in-scope organisations. If you don’t have well-defined audit procedures, this could result in non-compliance with CPS 234 obligations.

Unless an internal audit is already in place, creating and managing one program to effectively review and measure compliance can be challenging to incorporate into an organisation’s broader information security program.”

Faisal Khan
GRC Solutions Expert, Vanta
|
LinkedIn

The good news is that there are several ways to overcome these obstacles. A common solution is to combine independent reviews and expert opinions with internal audit activities, especially in areas requiring specialised knowledge.

Another way to streamline ongoing CPS 234 compliance is by using a dedicated software solution. With the right platform, you can remove manual work from the process and maintain your controls more efficiently.

{{cta_withimage40="/cta-blocks"}}  

Achieve and maintain CPS 234 compliance with Vanta

Vanta is a comprehensive trust and compliance management platform that automates the compliance workflows related to over 35 major frameworks and regulations, including CPS 234. 

It offers a dedicated CPS 234 product that streamlines compliance through various features, most notably:

  • Pre-configured document templates and policies
  • Continuous visibility of your CPS 234 compliance status
  • Automation and integration options for evidence collection and controls monitoring through over [integrations_count] integrations
  • Access to a network of accredited auditors for support and remediation throughout the compliance process

As third-party risk management is a major part of CPS 234 compliance, Vanta also offers a robust Vendor Risk Management solution to help you continuously oversee the security posture of your third parties and ensure adherence to CPS 234.

Besides dedicated products for the major CPS 234 compliance aspects, Vanta provides ongoing expert support at any stage of the process to eliminate guesswork and minimise the risk of violations.

Schedule a custom demo of Vanta’s CPS 234 product to learn how it helps you achieve and maintain compliance.

{{cta_simple37="/cta-blocks"}} | CPS 234 landing page

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Security
Blog

How Heyhack integrates automated pen testing with Vanta

Heyhack helps customers gain a complete overview of their application portfolio so they can remediate security issues quickly. Learn how Heyhack integrates with Vanta.

An image of a forest with the word vanta on it.
Product updates
Blog

Introducing Vanta’s Security and Privacy Training Library

Today we’re excited to introduce Vanta’s new security and privacy training library, developed by our in-house team of security, privacy, and compliance experts to help ensure your employees learn about important and required principles for each framework.

Compliance
Events

Simplify Compliance and Enhance Your Customer’s Trust

Curious about why compliance is so important, which businesses need it, and how Vanta's automation can help you quickly achieve it? Join Vanta’s 45-minute live product demo where you’ll learn how Vanta goes beyond compliance to enhance your overall security and trust management.

Compliance
Blog

The buyer’s guide to automated compliance for startups

We put together this buyer’s guide to help you understand what to look for in automated compliance tools and avoid the compliance debt that slows so many companies down.

Related Resources

Security
Blog
How to demonstrate your AI security posture: A step-by-step guide

Are you looking to demonstrate your AI security posture to vendors and partners? Understand these six steps and learn about relevant tools.

Security
Blog
What is shadow AI and what can you do about it?

Find out what shadow AI is in today’s context and whether it presents a huge threat to your organization.

Security
Blog
How agentic AI in security changes the game: Benefits and challenges

Discover agentic AI and see how it differs from AI agents. Explore the benefits it brings to your organization and its implications on your security posture.

Security
Blog
9 AI risks that could impact your organization—and how to mitigate them

Discover the nine most relevant AI risks that can threaten your network and systems, and explore some practical strategies to proactively mitigate them.

Security
Blog
A step-by-step guide to AI security assessments [With a template]

Find out how to conduct an AI security assessment to stay ahead of potential threats and regulatory updates.

Security
Blog
8 fundamental AI security best practices for teams in 2025

Discover the eight baseline security best practices to minimize risks and vulnerabilities within AI systems. We’ll also discuss the tools that can support you.

Security
Blog
AI security posture management (AI-SPM): All information in one place

Learn about AI security posture management (AI-SPM) in our guide.

Security
Blog
AI security: A comprehensive guide for evolving teams

Learn why it matters and how to safeguard your systems to reinforce your organization’s defenses.

Security
Blog
Lessons for founders from Frameworks for Growth season 1

Executives from YC, Anthropic, Replit, Sierra, and Synthesia share advice for founders.

Security
Blog
Laying the groundwork: Building security foundations at the partial stage

Learn how partial-stage companies build security foundations to advance toward risk-informed maturity.

Security
Blog
How Synthesia Became One of Europe’s Fastest-growing AI Companies | Frameworks for Growth

Hear from Steffen Tjerrild on what it takes to scale an AI company.

Security
Blog
Why measuring your security maturity matters (And how we do it at Vanta)

At Vanta, we’ve developed a practical and structured approach to tracking our own maturity using NIST CSF 2.0.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products