APRA Prudential Standard CPS 234 Information Security

Data privacy framework ISO 27001 GDPR APRA CPS234 commenced 1 July 2019 for APRA regulated entities as the new mandatory standards for information security.

This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats. CPS 234 information security standards bring to the forefront the importance of having strong cybersecurity measures in place and being resilient against information security incidents and cyber-attacks in ensuring APRA entities maintain security capabilities and minimize the impact of information security incidents on Confidentiality, Integrity or Availability of Information Assets. This Includes Information Assets Managed by Related Parties or Third Parties. The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.

What is Data Privacy Framework ISO 27001 GDPR APRA CPS234 Prudential Standard?

This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.


•  A Robust Cyber Security Framework with corresponding controls clearly identified. Roles for Board Members, Senior Management including any Governing Bodies and Individuals with regards to Information Security must be clearly defined.

•  All Information assets must be identified and clearly classified according to their risk criticality ratings with impact on loss and availability, risk sensitivity and impact of the loss of confidentiality and integrity

•  Third parties must also be compliant with data privacy framework ISO 27001 GDPR APRA CPS234 information security to protect sensitive information.

•  APRA regulated entities must continually test their systems to ensure that their security capability is compliant with the evolving cyber threat landscape

•  Security incident response must have compliance with all formal incident plans and ensure a support strategy is in place for all incident cases and notify APRA of material information security incidents within 72 Hours.

•  Mandatory Internal audit must be conducted on all design and operating systems effectiveness of information security controls.

•. Diagnostic gap analysis review, Organisations need to work towards understanding their requirements by identifying key potential gaps and weaknesses in their current processes and identifying key capabilities that are at risk and also may expose critical data assets to malicious parties.

•. Risk treatment. Once gaps are identified, a pragmatic and risk-based plan must be developed to address them in the required timeframes of APRA Data breach notification

•. Ongoing monitoring and assurance.Continuous cyber risk monitoring of the organisation is required. This allows for assurance to be provided to management, board and all other key stakeholders.

Cybernetic Global Intelligence has a team of qualified PCI DSS QSA & ISO 27001/2013 lead auditors and assessors that can assist in all aspects of APRA CPS 234 Information Security compliance. Like any compliance system, APRA CPS 234 can be complex and hard to navigate alone. We can take the stress out of becoming APRA CPS 234 compliant by assessing and validating adherence to APRA CPS 234 Compliance Standards and work with you to develop Diagnostic gap analysis, Risk treatment and Ongoing monitoring and assurance with remediation strategies to help you meet the  APRA CPS 234 Information Security Standards.

Run Your Business. We’ll Protect It.