Free tool · 6 minutes · APRA-regulated entities
Self-assess your organisation's capability against APRA's Prudential Standard CPS 234 across five domains — roles, controls, testing, incident response and third-party assurance. Built for Australian banks, insurers, super funds and their material service providers. Export to PDF for the board, Excel for the audit team.
10 questions · 5 domains
Score your organisation's capability to meet APRA Prudential Standard CPS 234 across five domains. Designed for Australian banks, insurers, super funds, RSE licensees and their material service providers. Pick the option closest to your current state.
Domain 1
Clearly defined information security roles across the board, executive, IT and business owners — with documented reporting lines to APRA.
Who is the named board-accountable executive for information security?
Source: APRA CPS 234 paragraph 13 — 'Clearly define information security roles and responsibilities'.
How frequently does the board receive information security reporting?
Source: APRA CPG 234 — board oversight and reporting expectations.
Domain 2
Documented controls commensurate with size and threat profile, mapped to a recognised framework (Essential Eight, ISO 27001, NIST CSF) and applied across all information assets.
Is the control framework mapped to a recognised baseline?
Source: APRA CPS 234 paragraph 17.
Are the controls applied to all information assets — including SaaS and third-party-managed?
Source: APRA CPS 234 paragraph 16.
Domain 3
Systematic and continuous testing of the design and operating effectiveness of information security controls, with results reported to the board.
How are the information security controls tested?
Source: APRA CPS 234 paragraph 23.
How are testing results reported to the board?
Source: APRA CPG 234 — feedback loops to the board.
Domain 4
Documented incident response with named owners, defined escalation paths, the 72-hour APRA notification process, and post-incident review.
Does the organisation have a documented incident response runbook with named owners?
Source: APRA CPS 234 paragraph 27.
How does the organisation meet the 72-hour APRA notification requirement?
Source: APRA CPS 234 paragraph 35.
Domain 5
Documented assurance that material third parties — including SaaS, MSPs and shared-service providers — meet equivalent CPS 234 obligations.
Does the organisation have a register of material third parties with documented information security obligations?
Source: APRA CPS 234 paragraph 19; CPS 230 third-party requirements.
Are third-party CPS 234 obligations contractually enforced?
Source: APRA CPS 234 paragraph 20; CPS 230 paragraphs 38–46.
This is an indicative self-assessment, not a substitute for an APRA tripartite review or an external CPS 234 audit. For verified results Frontrow Technology runs in-tenant CPS 234 control mapping engagements with documented evidence packs.
What the scorer covers
Domain 1
CPS 234 requires the board of the regulated entity to be ultimately responsible for information security and to clearly define roles and responsibilities. APRA has flagged unclear ownership as the most common finding in tripartite reviews. The control needs a documented information security framework, named accountabilities at executive level, and a board-level reporting cadence.
Domain 2
CPS 234 requires controls to be 'commensurate with the size and extent of threats' and to cover all information assets including those managed by third parties. The control framework must be documented, mapped to a recognised baseline, and reviewed when material changes occur. Microsoft 365 with E5 (or E3 plus targeted add-ons) typically covers Essential Eight ML2 across the Microsoft estate; the gap is usually documentation rather than tooling.
Domain 3
CPS 234 explicitly requires testing — not just having controls but verifying they work. Annual penetration testing alone is not sufficient; APRA expects continuous testing through tools like Microsoft Defender Attack Simulator, Microsoft 365 Secure Score trending, Sentinel detection rules, and documented restore drills. Test results must feed into board reporting.
Domain 4
Material information security incidents must be notified to APRA within 72 hours. The incident management process needs documented runbooks, named accountable executives, a tested communication tree, and a post-incident review feedback loop into the control framework. Microsoft Sentinel and Defender XDR provide the timeline evidence APRA expects.
Domain 5
CPS 234 extends to third parties that manage information assets on behalf of the regulated entity. The CPS 230 reforms tighten this further. The control needs documented vendor risk assessments, contractual flow-down of CPS 234 obligations, and ongoing monitoring of third-party security posture. Microsoft's published SOC 2, ISO 27001 and IRAP attestations cover Microsoft as a provider; everything customer-side (configuration, identity, data classification) is the regulated entity's responsibility.
Frequently asked questions
CPS 234 applies to all APRA-regulated entities — Authorised Deposit-taking Institutions (banks, building societies, credit unions), general and life insurers, private health insurers, RSE licensees (super funds) and authorised non-operating holding companies. The CPS 230 reforms extend obligations to material third parties of those entities, which catches many MSPs and SaaS providers.
CPS 234 paragraph 35 requires regulated entities to notify APRA of material information security incidents no later than 72 hours after becoming aware of them. The notification needs to cover the nature of the incident, the impact, the response, and the steps taken to prevent recurrence. The 72-hour clock starts at awareness, not at confirmation — APRA expects rapid escalation even when the full impact is still being established.
Microsoft 365 (typically E5, or E3 with the right add-ons) covers most of the technical controls CPS 234 expects — identity (Entra), endpoint (Defender + Intune), data protection (Purview), threat detection (Sentinel + Defender XDR). What Microsoft does not provide is the documentation, governance, board reporting cadence, third-party register or the testing regime. Those are the customer's responsibility, and they are where most CPS 234 gaps actually live.
CPS 230 is the broader operational risk management standard that came into force in 2025. CPS 230 tightens third-party expectations: regulated entities must identify all material service providers, manage them through their lifecycle, and maintain a service provider register. CPS 234 third-party obligations effectively become a subset of CPS 230 third-party obligations. Together they raise the bar on contractual flow-down and ongoing monitoring.
It is a structured self-assessment that is typically used as the starting point for an internal audit cycle or a CPS 234 control mapping engagement. It is not a substitute for an APRA tripartite review or an external CPS 234 attestation. For evidence-grade output Frontrow runs in-tenant CPS 234 mapping projects that produce the documentation APRA expects.
