Rules Mate

Free tool

CPS 234 readiness scorer

APRA's Prudential Standard CPS 234 (Information Security) has applied to all APRA-regulated entities since 1 July 2019 — and to information assets managed by third parties since 1 July 2020. This tool scores your program across 10 control areas, prioritises gaps by severity, and surfaces APRA's 72-hour and 10-business-day notification triggers.

Last verified: 1 July 2026
Scope
Information profile
10 control areas

Board-level accountability for information security

Para 13-14 — the board is ultimately responsible for information security; accountability documented in charters + minutes.

Clearly defined information-security roles & responsibilities

Para 15-16 — roles of the board, senior management, governing bodies and individuals are clearly defined.

Information-security capability commensurate with threats

Para 17-18 — capability sized to vulnerabilities, threats and the criticality/sensitivity of information assets.

Information-security policy framework

Para 19-20 — policies + standards commensurate with exposures, giving direction on responsibilities.

Identification & classification of information assets

Para 21-22 — classify by criticality & sensitivity, including assets managed by third parties.

Implemented controls to protect information assets

Para 23-26 — controls commensurate with vulnerabilities, threats, criticality and lifecycle stage.

Incident management plans & processes

Para 23 — mechanisms to detect and respond to information-security incidents in a timely manner.

Systematic testing of control effectiveness

Para 27-32 — program of testing sized to the rate of change; results reviewed and escalated.

Internal audit review of control effectiveness

Para 33-34 — review design + operating effectiveness, including where a third party manages assets.

APRA notification process for incidents & control weaknesses

Para 35-36 — 72 hours for material incidents; 10 business days for material control weaknesses.

Reference tool — not professional advice. CPS 234 is a principles-based standard; your specific obligations depend on entity class, the criticality and sensitivity of your information assets, and your threat environment. Always confirm with APRA or an APRA-experienced information-security consultant for material decisions.

Related tools

Frequently asked questions

Who does CPS 234 apply to?
All APRA-regulated entities: ADIs (banks, credit unions, building societies), general/life/private health insurers, RSE licensees (super fund trustees) and licensed non-operating holding companies (NOHCs). CPS 234 has been in force since 1 July 2019.
How quickly must I notify APRA of an incident?
No later than 72 hours after becoming aware of a material information-security incident. You must also notify APRA no later than 10 business days after becoming aware of a material information-security control weakness that cannot be remediated in a timely manner.
What's the difference between CPS 234 and CPS 230?
CPS 234 is the information-security standard specifically — board accountability, asset classification, controls, testing and internal audit. CPS 230 is the broader operational risk standard covering business continuity, critical operations and service-provider management. Both apply to in-scope entities.
Does CPS 234 cover systems run by third parties?
Yes. Since 1 July 2020 CPS 234 has applied to information assets managed by third and related parties. You must classify those assets, ensure controls are implemented, and be able to test (or rely on the provider's testing of) control effectiveness and evidence it to APRA.

Not sure which obligations apply to you?

Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.

Build my Compliance Fingerprint →