The CPS 234 Checklist

Written by

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

For businesses operating in Australia’s highly regulated industries, staying on top of Australian Prudential Regulation Authority (APRA) requirements is a must. One of these is Prudential Standard CPS 234 Information Security (CPS 234), which has been in effect since July 1, 2019. CPS 234 ensures that APRA-regulated businesses—such as banking and the Financial Services Industry (FSI)—have strong information security practices in place to mitigate risk.
‍

CPS 234 was enacted in response to the growing number of threats and sophisticated cybersecurity attacks organisations are facing. With more than half of organisations saying security risks have never been higher, mandatory global regulations and compliance frameworks are becoming more common to protect businesses and their customers from these threats.
‍

As companies adapt new strategies and frameworks to meet requirements, knowing how to actually get compliant can be a challenge, but it is necessary. Meeting regulatory requirements builds trust and confidence with current customers and helps businesses attract new ones, fueling growth and product expansion.

‍

What is CPS 234?

CPS 234 is an APRA-regulated framework focused specifically on information security. CPS 234 has been in effect since 2019.
‍

The main goal of CPS 234 is to increase the resilience of APRA-regulated entities against cybersecurity incidents and attacks. The key requirements of CPS 234 include:

Clearly defining information security-related roles and responsibilities.
Maintaining proper information security capabilities that align with the size of the company to effectively mitigate threats.
Implement controls that protect information assets and systematically test those controls for effectiveness.
Notify APRA of any information security incidents.
‍

Compliance with CPS 234 demonstrates that organisations and the third parties they work with can protect sensitive information, like customer or company data or financial records, by meeting standards and minimum information security capabilities within their IT infrastructure.
‍

What is CPS 230?

Prudential Standard CPS 230 focuses on the overall management of operational risk, ensuring APRA-regulated organisations, like insurance companies and banks, are resilient to threats and disruptions. CPS 230 builds on the general risk management requirements in Prudential Standard CPS 220 Risk Management (CPS 220) and Prudential Standard SPS 220 Risk Management (SPS 220), with more specific requirements for the management of operational risks.

‍

CPS 230 was originally intended to commence on July 1 2024, however, APRA extended the effective date to July 1, 2025. This was due to the significant amount of work it takes organisations to comply with CPS 230 and the other regulatory reforms happening simultaneously.

‍

With CPS 230, organisations must:

Identify, assess, and manage risk with internal controls, including monitoring and remediation efforts.
Have a business continuity plan (BCP) to manage critical operations during disruptions.
Manage third-party service providers and vendors to mitigate risk.
Notify APRA after certain operational risk incidents, disruptions, changes in agreements and offshoring agreements. Note: A notification of an information security incident reported under CPS 234 does not need to be separately reported under the notification requirements of CPS 230.
‍

While a majority of APRA-regulated businesses will need to comply with CPS 230 by July 1, 2025, companies that aren’t "significant financial institutions” have until July 1, 2026.

‍

CPS 234 complements CPS 230

CPS 230 broadly covers operational risk, including technology risk. While CPS 234 is a standalone standard, it complements CPS 230 and provides specific requirements for managing information security risks within APRA-regulated entities.

‍

Does my business need to adopt CPS 234?

If your business operates in Australia and is APRA-regulated, you will need to comply with CPS 234. This includes businesses that are:

Deposit-taking institutions, like banks and credit unions
Non-operating holding companies
Insurance companies, such as life insurance companies or general insurers
Private health insurers
Registrable superannuation entity (RSE) licensee. This does not include a self-managed superannuation fund.
‍

While the obligation for compliance sits solely with the APRA-regulated entity, companies operating outside of Australia that serve an APRA-regulated entity may need to align with CPS 234, including:

Companies that host Australian data in U.S. data centres
Companies subject to U.S. law enforcement access, like the Cloud Act
A U.S. fintech organisation offering cloud-based lending platforms to Australian banks
A U.S.-based data analytics provider that processes superannuation data
A cybersecurity vendor that monitors Australian insurer infrastructure remotely.
‍

And even if your business isn’t legally required to adopt CPS 234, it can be beneficial. Compliance can help secure new customers more easily and maintain relationships within highly regulated industries. It can also serve as a proof point for customers in other industries, showing your company takes security seriously.

‍

Steps to becoming CPS 234 complaint

If you want to become compliant with CPS 234, there are several steps you’ll need to follow. We’ve designed this checklist to help make the process a bit easier.

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail