What CPS 234 requires
CPS 234 requires APRA-regulated entities to maintain information security capability commensurate with the size and extent of threats; clearly define information security roles and responsibilities; maintain controls to protect information assets; have testing in place to verify the controls work; promptly notify APRA of material incidents (within 72 hours); and ensure third-party service providers — including SaaS — meet equivalent requirements.
How Microsoft 365 maps to the standard
Microsoft 365 satisfies most of CPS 234 with E5 or E3 + the relevant add-ons. The control mapping: information asset register — Purview Information Map; identity controls — Entra ID P2 with PIM; access management — Conditional Access + Entra ID Governance access reviews; threat detection — Defender XDR + Sentinel; incident response — Sentinel automation + documented runbooks; testing — Defender Attack Simulator + Microsoft 365 Defender Threat Hunting; third-party assurance — Microsoft's published SOC 2, ISO 27001 and IRAP attestations cover Microsoft as the provider.
Where Australian financial services typically fall short
Three patterns: (1) the asset register exists but isn't synced with the Microsoft 365 estate, so newly-created SharePoint sites or Teams workspaces aren't classified; (2) testing is annual and external rather than continuous, missing drift; (3) third-party providers are nominally CPS 234-compliant but the contracting language doesn't actually require equivalence. The CPS 230 reforms (operational risk management) tighten the third-party expectation further.
Working with Frontrow
Frontrow runs CPS 234 control mapping projects for AU financial services — a documented map of CPS 234 obligations to current Microsoft 365 control state, with a remediation plan for the gaps. The output is APRA-pack-ready evidence rather than a generic gap analysis.