.png?fit=max&auto=format&n=tsMQJyneJ1xquFUo&q=85&s=4d401cc03b547d99b6f75a6bd170c334){kind=spacer}
APRA CPS 234 is the Australian Prudential Regulation Authority’s information security standard. It requires APRA-regulated entities to maintain information security capabilities commensurate with the size and extent of threats to their information assets.Documentation Index
Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
Use this file to discover all available pages before exploring further.
Who needs CPS 234?
Authorized deposit-taking institutions (banks), general insurers, life insurers, private health insurers, and registrable superannuation entities regulated by APRA in Australia.Key requirements
| Requirement | Description |
|---|---|
| Information Security Capability | Maintain capability commensurate with threats |
| Policy Framework | Comprehensive information security policy |
| Information Asset Management | Classify and manage information assets |
| Access Controls | Restrict access based on role and necessity |
| Incident Management | Detect, report, and respond to incidents |
| Testing | Regular testing of security controls |
| Internal Audit | Assurance that controls are operating effectively |
How DSALTA helps
- CPS 234 controls mapped to all APRA requirements
- Asset classification through inventory management
- Testing and evidence automated from integrations
- Cross-framework mapping — overlaps with ISO 27001, SOC 2, and DORA
Frequently asked questions
How does CPS 234 relate to ISO 27001?
How does CPS 234 relate to ISO 27001?
CPS 234 is prescriptive and specific to Australian financial services. ISO 27001 provides a broader ISMS framework. Implementing ISO 27001 covers most CPS 234 requirements.
What are the notification requirements?
What are the notification requirements?
Notify APRA as soon as possible and no later than 72 hours after becoming aware of a material information security incident or control weakness.