AuditXYZ

Compliance Framework

APRA Prudential Standard CPS 234 Information Security

APRA CPS 234 requires Australian financial entities to maintain information security capability commensurate with threats. This guide covers requirements, board obligations, incident reporting, and implementation.

$50,000–$500,0004–12 monthsAudit Required2019
Request a ConsultationSee process
Issuing BodyAustralian Prudential Regulation Authority (APRA)
First Published2019-07-01
Latest Version2019
Typical Cost$50,000–$500,000
Typical Timeline4–12 months
Audit RequiredYes
Audit FrequencyAnnual internal audit review of information security controls. APRA conducts periodic supervisory reviews.
Geographyaustralia

APRA CPS 234: Australian Information Security Standard

APRA Prudential Standard CPS 234 is Australia's mandatory information security standard for APRA-regulated financial entities. Effective since July 2019, it requires entities to maintain information security capability commensurate with the size and extent of threats to their information assets, and to promptly notify APRA of material security incidents or control weaknesses.

What CPS 234 Covers

CPS 234 takes a principles-based approach organized around key obligations. Boards must ensure that the entity maintains information security commensurate with its threat landscape. Entities must clearly define information security roles and responsibilities, maintain adequate capability (including through third parties), implement controls to protect information assets proportionate to their criticality, and detect and respond to incidents in a timely manner.

Critically, CPS 234 requires APRA notification within 72 hours of becoming aware of a material information security incident and within 10 business days of identifying a material control weakness. The standard also imposes requirements on information security testing, including annual reviews by internal audit.

Who Needs CPS 234 Compliance

CPS 234 applies to all APRA-regulated entities including authorized deposit-taking institutions (banks, building societies, credit unions), general insurers, life insurance companies, private health insurers, and registrable superannuation entity licensees. Third-party service providers are indirectly required to meet CPS 234 expectations through the entity's third-party risk management obligations.

Implementation Approach

Start with a comprehensive information asset inventory and classification exercise. Assess your current security capability against the threat landscape for your entity type. Establish board-level governance with clear accountability for information security. Implement controls proportionate to asset criticality and test them regularly. Develop incident management processes with APRA notification workflows.

Cost Considerations

Implementation costs typically range from $50,000 for smaller entities with mature security programs to $500,000 for larger entities requiring significant uplift. APRA has been actively supervising compliance, issuing findings through supervisory letters and conducting targeted reviews of CPS 234 implementation across the industry.

Get the APRA CPS 234 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001nist-csfism

Get matched with a APRA CPS 234 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

ISM
Framework
The ISM is the Australian government's comprehensive information security manual. This guide covers the Essential Eight, security classification, system accreditation, and compliance for government contractors.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
NIST CSF
Framework
The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Learn how CSF 2.0 helps organizations of all sizes improve their security posture.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View