Is CPS 230 replacing CPS 234?

No. They coexist. CPS 234 remains the information-security standard; CPS 230 adds a broader operational risk and resilience framework around it.

Which has the tighter incident-notification clock?

CPS 234 requires notifying APRA of material information-security incidents within 72 hours. CPS 230 also requires notification of material operational-risk incidents — confirm the specific timing in the standard for your entity.

CPS 230 vs CPS 234: how APRA's operational risk and information security standards differ

A side-by-side of APRA's CPS 230 (Operational Risk Management) and CPS 234 (Information Security) — what each covers, who they apply to, commencement dates, and how they fit together.

The short version

CPS 230 is APRA’s standard concerning operational risk management. It requires ADIs and insurers to implement a robust operational risk management framework, and commenced on 1 July 2025. RSE licensees (super fund trustees) are required to comply from 1 July 2026. Cyber security is recognised as a key element of operational resilience, and is therefore one component of the broader requirements under CPS 230. A CPS 230 readiness scorer can assist in assessing preparedness.

CPS 234, in contrast, is APRA’s information security standard, which came into force on 1 July 2019. While it focuses specifically on the protection of information assets, it does not encompass the full scope of operational risk management.

Essentially, CPS 234 addresses information security, while CPS 230 addresses operational risk, with cyber security being a subset of the latter.

What CPS 234 covers

CPS 234 focuses on information security capability within APRA-regulated entities. It mandates that entities maintain an information security capability that is appropriate to the threats they face. This standard is designed to ensure the confidentiality, integrity, and availability of information assets.

The standard outlines specific duties for regulated entities. These include clearly defining information security roles, classifying information assets based on their criticality and sensitivity, implementing appropriate controls to protect those assets, and regularly testing the effectiveness of those controls. Following a material information security incident, entities must notify APRA within 72 hours.

A key aspect of CPS 234 also addresses information assets managed by third parties or related parties. Regulated entities are required to have assurance arrangements in place to ensure the security of these externally managed assets.

What CPS 230 covers

CPS 230 establishes requirements for the management of operational risk. It necessitates that entities develop and maintain a board-approved operational risk management framework. This framework must enable the entity to identify critical operations and establish tolerance levels for disruption to those operations. CPS 230 readiness scorer

The standard mandates specific operational risk management practices. These include the development and testing of a business continuity plan, the implementation of an incident management process, and the maintenance of a register of material service providers, accompanied by risk assessments for those providers.

Entities are also required to notify APRA of material operational risk incidents. Furthermore, APRA expects entities to undertake scenario-based resilience testing at least annually to assess their operational resilience.

Who they apply to

CPS 230 and CPS 234 both apply to entities regulated by the Australian Prudential Regulation Authority (APRA). This includes Authorised Deposit-taking Institutions (ADIs), general insurers, life insurers, private health insurers, and Registered Superannuation Entity (RSE) licensees.

CPS 234 has been in effect since 2019. CPS 230’s commencement dates differ based on entity type. ADIs and insurers are required to comply from 1 July 2025. RSE licensees will need to comply from 1 July 2026, although this is subject to transition relief offered by APRA in April 2026.

To summarise:

ADIs and insurers: CPS 230 applies from 1 July 2025.
RSE licensees: CPS 230 applies from 1 July 2026 (subject to transition relief).

How they fit together

CPS 234 establishes the information-security layer, while CPS 230 provides the broader operational resilience framework that encompasses it. CPS 230 sits above CPS 234, meaning that information-security requirements are a component of overall operational resilience.

A single event, such as a cyber incident, can trigger obligations under both standards. This is because a cyber incident is inherently both an information-security incident, falling under CPS 234, and an operational risk incident, falling under CPS 230. Such an incident may also trigger obligations under the SOCI and the Privacy Act.

To assist in managing these overlapping obligations, it is essential to map all relevant clocks that fire in response to a cyber incident using the cyber incident notification tool.