APRA CPS 234 — the Microsoft 365 implementation map for Australian financial services

APRA's CPS 234 has been the information security baseline for Australian banks, super funds, insurers and other APRA-regulated entities since 1 July 2019. In 2026 it is one of the standards Frontrow most often gets asked to map to a Microsoft 365 implementation. The text of the standard is concise. The operational implications are not. The work below maps each of the substantive obligations to the specific Microsoft 365 service, configuration and evidence that satisfies them at the level APRA's own thematic reviews and tripartite assurance reports have signalled they expect.

For most APRA-regulated entities running on Microsoft 365 with E3 or E5 licensing already in place, CPS 234 is achievable without significant additional licensing. The discipline is in the configuration, the operating cadence, and the evidence that proves both. This guide is the working version of what Frontrow takes into the conversation.

Information security capability commensurate with risk

CPS 234 paragraph 13 requires the regulated entity to maintain an information security capability commensurate with the size and extent of threats to its information assets. The Microsoft Defender XDR suite (Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps) plus Microsoft Sentinel where the entity has the scale to operate it, sit at the level APRA's thematic reviews of larger entities have referenced as expected practice. For mid-size entities, Microsoft Defender XDR alone with a managed detection and response wrapper is the proportionate posture.

Information security policy framework

CPS 234 paragraph 14 requires a written information security policy framework. Microsoft Purview's policy enforcement layer (sensitivity labels, DLP, retention, audit) is the technical surface against which the written policies enforce. The framework Frontrow recommends has six documents — information security policy, acceptable use policy, access control policy, data classification and handling policy, incident response policy, third-party security policy — each owned by a named accountable person, reviewed at least annually, and approved by the board or a board committee.

Information asset classification

CPS 234 paragraph 15 requires the regulated entity to classify information assets by criticality and sensitivity. Microsoft Purview sensitivity labels are the technical implementation. The four-label scheme (Public, Internal, Confidential, Highly Confidential) plus the supplementary categories (Personal Information, Financial Sensitive, Regulator Reportable) maps cleanly to the criticality tiers most APRA-regulated entities operate.

Implementation of controls

CPS 234 paragraph 16 requires implementation of controls. The Essential Eight at Maturity Level 2 is the cyber baseline that satisfies the substance of this requirement for the cyber control surface. Frontrow's separate guide on the Essential Eight ML2 Microsoft 365 implementation map walks the technical configuration in detail. CPS 234 expects more than the Essential Eight on identity (CIAM where customer information is in scope), encryption (data at rest and in transit including key management), and incident response (the response plan tested and the BCM integration documented). Microsoft Entra ID P2 covers the identity expectations, Azure Key Vault and the Microsoft 365 service-side encryption cover the encryption surface, Microsoft Sentinel and Defender XDR cover the detection and response.

Incident management

CPS 234 paragraph 23 requires the entity to have a documented incident response and recovery capability that is exercised. Microsoft Defender XDR's incident workflow plus Microsoft Sentinel's automation playbooks for the larger entities provide the technical surface. The policy and exercise side requires the written incident response plan, the named incident response team, the documented escalation pathway to APRA itself for material incidents (within 72 hours), the customer notification process, and an annual exercise that tests the end-to-end response. The exercise output is the evidence APRA's tripartite assurance reviews look for.

Testing of control effectiveness

CPS 234 paragraph 25 requires the entity to test the design and operating effectiveness of its controls. Microsoft Secure Score and Microsoft Compliance Manager surface a continuous view of control posture. The independent testing requirement is satisfied by an annual penetration test, a quarterly vulnerability assessment, and the periodic third-party review (typically a SOC 2 Type II or an ISO 27001 surveillance audit on the control surface in scope). The output of all four feeds the residual risk register that the board reviews.

Audit and assurance

CPS 234 paragraph 27 requires internal audit to provide assurance over the information security control framework. Microsoft Purview Audit at the higher retention tier (E5 or the Compliance add-on) gives internal audit the evidentiary foundation. The audit cadence Frontrow sees in well-run APRA-regulated entities is annual deep audit rotating through the control surfaces, plus continuous control monitoring through Microsoft Secure Score and Sentinel for the day-to-day posture.

Notification to APRA

CPS 234 paragraph 35 requires notification to APRA within 72 hours of an information security incident materially affecting the entity. The Microsoft Defender XDR incident workflow integrates with Microsoft Sentinel's automation to flag candidate incidents, and the response runbook should include the explicit escalation path to APRA notification with the named approver and the standing notification template.

Where E3 stops and E5 starts for CPS 234

Microsoft 365 E3 plus the standard Defender for Endpoint Plan 2 covers most of the CPS 234 surface. The pieces that materially benefit from E5 are Microsoft Sentinel's data lake (for the scale of audit data CPS 234 implies for larger entities), the Microsoft Purview Compliance add-on or E5 Compliance (for the Insider Risk Management, advanced eDiscovery and audit retention CPS 234's evidentiary expectations rely on), and Entra ID P2 (for PIM, Identity Protection and Access Reviews). The targeted add-on path is usually the cheaper move for mid-size entities than the full E5 lift.

What a CPS 234 evidence pack looks like

• The information security policy framework documents and the board approval record.
• The information asset register with classifications and criticality ratings.
• The Essential Eight ML2 evidence pack (patch latency, MFA coverage, PIM activation, application control, ASR rules, restore tests).
• The Microsoft Purview sensitivity label policy, DLP policy, audit configuration and retention policy.
• The Conditional Access policy export and the sign-in log filter showing zero password-only authentications across 30 days.
• The annual penetration test report and the quarterly vulnerability assessment reports.
• The annual incident response exercise output with the timing measured against the 72-hour APRA notification line.
• The internal audit report on the information security control framework.
• The third-party security risk register and the relevant sub-processor assurance evidence.

Frontrow advises APRA-regulated entities on CPS 234 mapping, control implementation and evidence pack preparation against a Microsoft 365 tenant. Phone 1300 012 466 or book a chat through the contact page.