.png?fit=max&auto=format&n=tsMQJyneJ1xquFUo&q=85&s=4d401cc03b547d99b6f75a6bd170c334){kind=spacer}
Who needs CPS 234?
Authorized deposit-taking institutions (banks), general insurers, life insurers, private health insurers, and registrable superannuation entities regulated by APRA in Australia.Key requirements
| Requirement | Description |
|---|---|
| Information Security Capability | Maintain capability commensurate with threats |
| Policy Framework | Comprehensive information security policy |
| Information Asset Management | Classify and manage information assets |
| Access Controls | Restrict access based on role and necessity |
| Incident Management | Detect, report, and respond to incidents |
| Testing | Regular testing of security controls |
| Internal Audit | Assurance that controls are operating effectively |
How DSALTA helps
- CPS 234 controls mapped to all APRA requirements
- Asset classification through inventory management
- Testing and evidence automated from integrations
- Cross-framework mapping — overlaps with ISO 27001, SOC 2, and DORA
Frequently asked questions
How does CPS 234 relate to ISO 27001?
How does CPS 234 relate to ISO 27001?
CPS 234 is prescriptive and specific to Australian financial services. ISO 27001 provides a broader ISMS framework. Implementing ISO 27001 covers most CPS 234 requirements.
What are the notification requirements?
What are the notification requirements?
Notify APRA as soon as possible and no later than 72 hours after becoming aware of a material information security incident or control weakness.