Skip to main content
Compliance & Audits · APRA CPS 234 Guide

APRA
CPS 234 —
the practical
guide.

CPS 234 is the mandatory information security standard binding all 680 APRA-regulated entities — banks, insurers, superannuation trustees, and other financial institutions overseeing $9.8 trillion in assets. In force since 1 July 2019, it is backed by escalating enforcement, including the landmark $250 million capital charge imposed on Medibank Private after its 2022 data breach.

Most guides covering CPS 234 were written in 2019–2022 and are significantly outdated. The regulatory landscape has changed dramatically: CPS 230 replaced the outsourcing standard on 1 July 2025, the Cyber Security Act 2024 added mandatory ransomware reporting, and the Financial Accountability Regime (FAR) has made individual executives personally accountable for CPS 234 compliance.

Written by practitioners who are ISO 27001 certified and advise APRA-regulated entities on CPS 234 compliance and Lighthouse Assessments.

Book Lighthouse Assessment → CPS 234 Services
CC
Cliffside Cybersecurity ISO 27001 Certified · APRA CPS 234 Practitioners · Sydney · Est. 2014
On this page
01 / What CPS 234 is

A legally binding standard for every APRA-regulated entity — not a best-practice guide.

Prudential Standard CPS 234 Information Security is a legislative instrument (F2018L01745) issued by APRA under five Acts of Parliament: the Banking Act 1959, Insurance Act 1973, Life Insurance Act 1995, Private Health Insurance (Prudential Supervision) Act 2015, and Superannuation Industry (Supervision) Act 1993. It commenced on 1 July 2019 and applies to every APRA-regulated entity without exception.

CPS 234 applies to Authorised Deposit-Taking Institutions (banks, credit unions, building societies, foreign ADIs), general insurers (including Category C insurers and authorised NOHCs), life companies (including friendly societies and EFLICs), private health insurers, and RSE licensees (superannuation trustees). Where an entity heads a group, CPS 234 compliance must be applied throughout the group — including non-APRA-regulated entities within it.

CPS 234 vs CPG 234: CPS 234 is the binding standard. CPG 234 (Prudential Practice Guide 234, published June 2019) is non-binding guidance providing APRA's view of sound practice. CPG 234 explicitly states it does not create enforceable requirements. In practice, however, APRA's tripartite assessments have used CPG 234 as a benchmark — entities that disregard it do so at significant regulatory risk.

The standard contains 36 operative paragraphs (13–36) organised across eight obligation areas. APRA has chosen to leave CPS 234 unamended since commencement — rather than changing the standard, it has intensified enforcement and issued supplementary guidance through tripartite assessments and industry letters.

Why 2025–2026 changes everything

The CPS 234 compliance environment has changed fundamentally since 2019. The tripartite assessment programme (covering 300+ entities) revealed widespread, systemic gaps. The Medibank capital charge established that enforcement consequences are real. CPS 230 overhauled outsourcing and business continuity from 1 July 2025. The Cyber Security Act 2024 added mandatory ransomware reporting with its own 72-hour clock. And FAR has made individual executives personally accountable for CPS 234 obligations in a way that didn't exist when the standard commenced.

02 / The eight obligation areas

What CPS 234's 36 paragraphs actually require — and where APRA is finding failures.

The following covers each obligation area and, where APRA has published findings, the practical gaps being found across the industry.

Para 13–14
Board & Senior Management Accountability
The Board is ultimately responsible for information security, commensurate with the size and extent of threats. Entities must clearly define information security roles and responsibilities — Board, senior management, committees, and individuals with operational accountability.
APRA finding
APRA's 2022 pilot found "little evidence of boards actively reviewing and challenging" management's cyber reporting. Management reporting was assessed as "not fit-for-purpose." APRA's June 2025 letter to RSE licensees explicitly required identification of FAR Accountable Person(s) for CPS 234 — making individual executive accountability explicit for the first time.
Para 15–17
Information Security Capability
Entities must maintain an information security capability commensurate with the size and extent of threats. This extends to third parties — entities must assess that third-party capability is proportionate to the potential consequences of an incident. Capability must be actively maintained as threats and vulnerabilities change.
Practical challenge
The "commensurate with threats" formulation is deliberately principles-based — APRA does not prescribe specific controls. CISOs report this leaves "too much room for interpretation" compared to prescriptive frameworks like the Essential Eight. Smaller entities without dedicated security teams face particular difficulty demonstrating adequate capability assessment.
Para 20
Information Asset Classification
Entities must classify all information assets — including those managed by third parties — by criticality (potential impact from loss of availability) and sensitivity (potential impact from loss of confidentiality or integrity). Classification must reflect impact on customers, policyholders, beneficiaries, and depositors. Assets must be reviewed at least annually or upon material change.
APRA finding
"Incomplete identification and classification of critical and sensitive information assets" was one of the six most common gaps identified across the tripartite assessment programme. CPG 234 requires interrelationship mapping — a non-critical asset that could compromise a critical one must inherit the higher rating. Infrastructure and physical access systems are in scope and frequently missed.
Para 21–22
Implementation of Controls
Controls must be implemented across the full asset lifecycle (from planning through decommissioning), commensurate with vulnerabilities, threats, asset criticality and sensitivity, and potential incident consequences. For third-party-managed assets, entities must evaluate the design of third-party controls — not merely assume they are adequate. This applies to all third-party-managed assets, not only material outsourcing arrangements.
APRA finding (Aug 2024)
APRA identified configuration management as "especially problematic in the financial sector with aging core legacy platforms and old code mixed with modern apps and software." Privileged access management was identified as a separate common weakness. Entities managing end-of-life technology must maintain documented refresh plans.
Para 23–26
Incident Management
Entities must have robust mechanisms to detect and respond to incidents in a timely manner; maintain response plans for incidents that could plausibly occur; cover all stages from detection through post-incident review; and include board escalation mechanisms. Response plans must be reviewed and tested annually.
APRA finding
22% of entities had not tested their cyber incident response plans in the past 12 months. Response plans must incorporate third-party integration, customer communication strategies, and clear linkages to business continuity and crisis management. APRA expects testing with severe but plausible scenarios, not just tabletop exercises.
Para 35–36
APRA Notification
Two distinct notification obligations: a 72-hour window for material security incidents (Para 35) and a 10-business-day window for material control weaknesses the entity does not expect to remediate in a timely manner (Para 36). Both are covered in detail in section 03 below.
APRA finding
"Inconsistent reporting of material incidents and control weaknesses to APRA" was one of the six most common tripartite assessment gaps. APRA has also made clear that findings from tripartite assessments identifying material gaps constitute a Paragraph 36 notifiable weakness — entities cannot receive a tripartite finding and not self-report.
Para 27–31
Testing of Controls
A systematic testing program is required, with nature and frequency commensurate with threat changes, asset criticality, incident consequences, and exposure to untrusted environments. Testing must be conducted by appropriately skilled and functionally independent specialists. Deficiencies not remediable in a timely manner must be escalated to the Board. The testing programme must be reviewed at least annually.
APRA finding
"Inadequate definition and execution of control testing programs" — testing was described as "incomplete, inconsistent, lacks independence and does not provide adequate assurance for management and the Board." CPG 234 explicitly identifies penetration testing (for network protection, unauthorised access, software security) and red team testing as expected approaches. More than one-third of entities had not tested critical system backups in the past 12 months.
Para 32–34
Internal Audit
Internal audit must review the design and operating effectiveness of information security controls, including controls maintained by third parties. Assurance must be provided by personnel with appropriate information security skills. Where internal audit intends to rely on third-party assurance, it must first assess the adequacy of that assurance.
APRA finding
"Limited internal audit review of information security controls" was a top-six gap. Paragraph 34's scope is critically broad — it covers all information assets managed by related and third parties, not only those under CPS 231/SPS 231 outsourcing agreements. Internal auditors often lack the information security skills required to meet this obligation.
03 / Notification obligations

The 72-hour and 10-business-day rules — triggers, timing, and the new dual reporting obligation.

CPS 234 imposes two distinct notification obligations. The clock in both cases starts from the moment the entity becomes aware — not from when the incident occurred or was confirmed. APRA expects notification even without complete information.

72hr
Para 35 · Incident notification
Material security incidents
Notify APRA as soon as possible, no later than 72 hours from becoming aware. Applies to both actual and potential material impact — you do not need to confirm harm before notifying.
Triggers notification
  • Materially affected the entity financially or non-financially (including reputationally, operationally)
  • Had the potential to materially affect the entity or customer interests
  • Has been notified to any other regulator in any jurisdiction — automatic trigger regardless of materiality
10 days
Para 36 · Control weakness notification
Material control weaknesses
Notify APRA as soon as possible, no later than 10 business days from becoming aware of a material control weakness the entity does not expect to remediate in a timely manner.
Sources that trigger notification
  • Testing and assurance activities (including penetration testing)
  • Tripartite CPS 234 assessment findings identifying material gaps
  • Vendor vulnerability and patch notifications
  • Third-party security notifications
  • Incidents that reveal an underlying control weakness

The new dual reporting obligation — Cyber Security Act 2024

The Cyber Security Act 2024 (Royal Assent 29 November 2024, Part 3 effective ~30 May 2025) added Australia's first mandatory ransomware payment reporting obligation. For APRA-regulated entities that pay a ransom, this creates a dual 72-hour reporting obligation to two different regulators:

Dual obligation for ransomware payments: Report the incident to APRA under CPS 234 Paragraph 35 (72 hours, via APRA online forms) AND report the payment to ASD/ACSC under the Cyber Security Act Part 3 (72 hours from making the payment, via cyber.gov.au portal). Different forms. Different regulators. Different content requirements. Both run simultaneously from different trigger points.

Ransomware payment reporting applies to entities carrying on business in Australia with annual turnover exceeding $3 million. The obligation covers making a payment — demands without payment do not trigger it. Limited use protections mean information in ransomware reports cannot be used for criminal prosecution of the reporting entity.

APRA-regulated entities also face obligations to the OAIC (Privacy Act notifiable data breach scheme), ASIC (continuous disclosure for listed entities; AFSL obligations), and potentially SOCI Act obligations. Dual-regulated entities may have five concurrent reporting obligations running simultaneously after a significant incident.

04 / The enforcement record

From guidance-based to enforcement-intensive — what APRA has actually done.

APRA describes its supervisory approach as "constructively tough." For the first several years of CPS 234's operation, this was largely guidance-based. The Medibank enforcement action marked a clear shift toward consequence-based enforcement, and APRA's response to the 2025 superannuation attacks demonstrated it is prepared to intervene directly in the sector.

July 2019
CPS 234 commences
Standard takes effect for all APRA-regulated entities. Third-party obligations follow from the earlier of next contract renewal or 1 July 2020. APRA begins industry engagement and guidance.
Mid 2021 — Mid 2023
Tripartite assessment programme — 300+ entities
APRA's tripartite model (APRA + entity + independent external auditor under ASAE 3150) covered more than 300 banks, insurers, and superannuation trustees. The first tranche (~24% of entities) completed by mid-2023.
June 2023
Medibank — $250 million capital charge
APRA imposed a $250 million increase to Medibank Private's capital adequacy requirement following its October 2022 breach — the first time APRA imposed capital requirements specifically for a cyber attack. The charge applies until remediation is completed to APRA's satisfaction. Medibank has been spending approximately AU$40M/year on IT security remediation, with total expected spend of AU$126 million over three years.
July 2023
APRA publishes six common gaps
APRA publishes findings from the first tranche of tripartite assessments — detailed in section 05 below. Supplementary data reveals more than one-third of entities had not tested critical system backups, and 22% had not tested incident response plans, in the past 12 months.
August 2024
Three additional weaknesses identified
APRA's second industry letter identifies configuration management, privileged access management, and security testing coverage as further systemic weaknesses. Explicitly states that identified gaps constituting material risk must be self-reported under Paragraph 36.
April 2025
Superannuation credential stuffing attacks
Credential stuffing attacks hit multiple super funds — AustralianSuper, Australian Retirement Trust, Rest, Hostplus, Cbus Super, Media Super, and Insignia's Expand platform — affecting 12.6 million members and resulting in nearly $500,000 stolen from four members.
June 2025
APRA writes to all RSE Board chairs
APRA Deputy Chair Margaret Cole writes directly to all RSE licensee Board chairs requiring self-assessment of authentication controls, MFA or equivalent for all high-risk activities, Paragraph 36 notifications for material weaknesses, identification of FAR Accountable Persons, and special-purpose external engagements for directly affected funds. Deadline: 31 August 2025.

APRA's enforcement toolkit: Intensified supervisory oversight → root cause analysis requirements → remediation plan requirements → material control weakness breach notifications → additional capital charges (Medibank precedent) → additional licence conditions (United Super/Cbus, 2024–2025) → formal court-based enforcement. APRA has not yet pursued court-based enforcement specifically for CPS 234 — but the trajectory of the enforcement programme indicates this is a matter of when, not if.

05 / APRA's six common gaps

What the tripartite assessments found — across more than 300 entities.

APRA's July 2023 findings from the first tranche of tripartite assessments identified six pervasive control gaps. These are not isolated findings — they represent systemic weaknesses across the sector. If your CPS 234 programme has not directly addressed each of these, you are likely carrying one or more of the gaps APRA found most broadly.

  • 1
    Incomplete identification and classification of information assets
    Entities had not identified and classified all critical and sensitive information assets — including infrastructure, ancillary systems, and third-party-managed assets. Non-critical assets that could compromise critical ones were not being rated accordingly. Classification was not reviewed annually or upon material change as required.
  • 2
    Limited assessment of third-party security capability
    60% of entities had not assessed all IT service providers' security control testing in the past 12 months. Some relied solely on self-assessment surveys without independent verification. Certifications like SOC 2 and ISO 27001 were used as proxies without evaluating whether they covered the relevant services and controls in scope.
  • 3
    Inadequate control testing programs
    Testing was "incomplete, inconsistent, lacks independence and does not provide adequate assurance for management and the Board." Testing programmes did not cover sufficient controls, were not calibrated to the rate of threat change, and were not being conducted by sufficiently skilled and independent specialists.
  • 4
    Incident response plans not reviewed or tested
    22% of entities had not tested their cyber incident response plans in the past 12 months. Plans were not integrated with third-party response, did not cover all required incident stages, and were not linked clearly to business continuity and crisis management processes.
  • 5
    Limited internal audit review of security controls
    Internal audit was not adequately reviewing information security controls — particularly third-party controls. Internal auditors lacked the information security skills required. The broad scope of Paragraph 34 (covering all third-party-managed assets, not only CPS 231 material outsourcing) was not being applied.
  • 6
    Inconsistent reporting of incidents and control weaknesses
    Entities were not consistently notifying APRA of material incidents (Paragraph 35) and material control weaknesses (Paragraph 36). APRA has since made clear that tripartite assessment findings identifying material gaps must themselves be self-reported under Paragraph 36 — receiving an assessment finding is not an alternative to notification.
06 / Third-party requirements

The scope is broader than CPS 231 — and much broader than most entities realise.

CPS 234's third-party requirements are one of its most frequently misunderstood aspects. The standard explicitly states its obligations apply to all information assets managed by related parties and third parties — not only those captured under CPS 231 material outsourcing agreements. CPS 231 (now replaced by CPS 230) applied to "material business activities." CPS 234 applies to every information asset, regardless of whether a formal outsourcing arrangement exists or whether the activity is considered material.

Third-party obligations run throughout the standard: capability assessment (Para 16), asset classification (Para 20), control implementation and design evaluation (Para 21–22), testing assessment (Para 28), internal audit review (Para 32), and assessment of third-party assurance (Para 34). An entity cannot satisfy CPS 234 by focusing only on its own internal controls.

The fourth-party risk problem: CPG 234 directly addresses sub-contractor risk. APRA expects entities to take reasonable steps to satisfy themselves that third parties have sufficient controls covering their sub-contractors. Many entities have detailed security programmes for their primary service providers and no visibility beyond that level.

Practical third-party compliance challenges

The scale of third-party ecosystems creates a genuine practical challenge — large institutions may have hundreds or thousands of third-party providers, each requiring some level of assessment. APRA has acknowledged this in tripartite findings but has not reduced the standard's requirements. Common approaches APRA has found inadequate: relying solely on vendor self-assessment questionnaires; accepting ISO 27001 or SOC 2 certifications as proxies without evaluating scope; and performing point-in-time assessments rather than continuous monitoring.

CPS 230 (effective 1 July 2025) added further requirements for "material service providers" — entities must maintain annual registers of material service providers submitted to APRA (first due 1 October 2025), with contractual provisions allowing APRA to review documentation and conduct on-site visits. CPS 234's third-party information security obligations sit alongside these new CPS 230 requirements.

07 / Framework relationships

CPS 234, ISO 27001, the Essential Eight, and NIST — how they fit together.

APRA-regulated entities commonly navigate CPS 234 alongside other frameworks. The relationship between them is complementary, not competing — each serves a distinct purpose.

Dimension CPS 234 ISO 27001 Essential Eight
Nature Mandatory (legislative instrument) Voluntary, certifiable Mandatory for APS/government; advisory for private sector
Approach Principles-based, risk-proportionate Risk-based ISMS (93 controls) Prescriptive — 8 specific mitigation strategies
Scope Financial sector only Any organisation, any sector Any organisation; technical focus
Notification 72hr/10-day APRA requirements No mandatory notification equivalent No mandatory notification equivalent
Third-party Pervasive — all information assets Supplier management (A.5.19–A.5.22) Not addressed directly
Board accountability Ultimate board responsibility + FAR Top management commitment required Not addressed
APRA enforces as baseline? Is the baseline Certification supports CPS 234 compliance De facto baseline via industry letters

ISO 27001 and CPS 234

Entities already certified to ISO 27001 have a strong foundation for CPS 234 compliance — the ISMS provides structure, documented processes, and evidence trails that directly support CPS 234 obligations. However, ISO 27001 certification does not satisfy CPS 234. Entities must separately address CPS 234-specific requirements: APRA notification obligations (72 hours, 10 business days), board ultimate accountability under Australian prudential regulation, and the depth of third-party information security assessment that APRA expects.

Read our ISO 27001 Pre-Certification Guide →

The Essential Eight as de facto CPS 234 baseline

CPS 234 does not mandate Essential Eight compliance. But APRA has progressively established it as the practical technical benchmark through industry letters. APRA has specifically called out MFA ("one of the Essential Eight mitigation strategies"), daily backups ("the use of regular backups is one of the Essential Eight"), and application patching in separate communications. Following the 2025 super fund attacks, APRA required self-assessment against authentication controls directly referencing CPS 234 and CPG 234 guidance on MFA — the same standard as Essential Eight Strategy 7.

Key practical implication: Failure to implement key Essential Eight controls — particularly MFA — may now be treated by APRA as a notifiable material control weakness under Paragraph 36, even though CPS 234 does not explicitly mandate the Essential Eight. The de facto standard has changed without the formal standard being amended.

Read our Essential Eight ML3 Guide →
08 / CPS 230 — the new companion standard

What changed on 1 July 2025 — and how CPS 230 interacts with CPS 234.

CPS 230 Operational Risk Management commenced on 1 July 2025, replacing five existing standards: CPS 231 (Outsourcing), CPS 232 (Business Continuity Management), SPS 231, SPS 232, and HPS 231. It represents the most significant restructuring of APRA's operational resilience requirements since CPS 234 itself.

CPS 230 explicitly requires entities to "meet the requirements for information security in CPS 234" when managing technology risks. The two standards are designed to be complementary — CPS 234 addresses information security specifically; CPS 230 covers broader operational risk and resilience.

What CPS 230 adds

CPS 230's key additions relevant to CPS 234 practitioners include: a critical operations framework requiring identification of processes which, if disrupted beyond tolerance levels, would materially affect customers or the financial system; enhanced material service provider management policies and annual registers submitted to APRA (first register due 1 October 2025); 24-hour notification for disruptions to critical operations outside tolerance (separate from CPS 234's 72-hour information security incident notification); and contractual provisions allowing APRA to review documentation and conduct on-site visits with material service providers.

Service provider contract transition: Existing service provider contractual arrangements must comply with CPS 230 by the earlier of 1 July 2026 or the next renewal date. Entities with legacy contracts that lack APRA access rights, adequate security provisions, or termination rights must prioritise renegotiation before this deadline.

APRA announced in October 2025 it will consult on targeted amendments to CPS 230 for non-traditional service providers (stock exchanges, payment schemes, clearing facilities), so the standard continues to evolve. Non-significant financial institutions received relief until 1 July 2026 for certain new business continuity requirements.

09 / The full regulatory stack

What APRA-regulated entities are now operating under — as of early 2026.

The compliance environment for Australian financial institutions has become significantly more complex since CPS 234 commenced in 2019. As of February 2026, entities face an overlapping set of obligations from multiple regulators and Acts.

CPS 234
Since Jul 2019
Information security. Board ultimate responsibility, capability, asset classification, controls, testing, incident management, APRA notification (72hr/10 business days), internal audit. No formal amendments since commencement.
CPS 230
Since Jul 2025
Operational risk and resilience. Critical operations identification, material service provider registers, enhanced BCP requirements, 24-hour disruption notification. Replaces CPS 231, CPS 232, SPS 231, SPS 232. Explicitly requires CPS 234 compliance for technology risks.
Cyber Security Act 2024
Part 3 from May 2025
Ransomware payment reporting. 72-hour reporting to ASD/ACSC for any ransomware payment made by entities with annual turnover >$3M. Separate from and runs concurrently with CPS 234 notification. Limited use protections apply. Phase 2 active enforcement from January 2026.
FAR
ADIs Mar 2024 · Others Mar 2025
Financial Accountability Regime. Personal accountability for senior executives and directors. APRA's June 2025 super letter explicitly linked FAR Accountable Person identification to CPS 234 compliance — making individual accountability for information security obligations explicit for the first time.
SOCI Act
Ongoing
Security of Critical Infrastructure Act. Applies to financial services entities in scope as critical infrastructure. Requires cyber incident reporting to ACSC. Obligations run alongside (not in place of) CPS 234 APRA notification. ERP Act 2024 expanded government incident response powers.
Privacy Act / OAIC
NDB scheme ongoing
Notifiable data breach scheme. 1,113 breaches notified in 2024 — a record high. Finance sector was second-most notified sector in H1 2025 (14% of all notifications). Must notify OAIC and affected individuals of eligible data breaches as soon as practicable.
ASIC
Ongoing
For dual-regulated entities. Continuous disclosure obligations (listed entities); AFSL obligations under s 912A (RI Advice Group precedent established cyber failures can breach AFSL obligations); director duty of care and diligence encompasses cyber risk. Protocol with APRA for managing cyber incidents at dual-regulated entities in development.

The practical consequence for large APRA-regulated entities is that a significant cyber incident may simultaneously trigger notification obligations to APRA (CPS 234), ACSC (Cyber Security Act, if ransom paid), OAIC (Privacy Act, if personal data affected), ASIC (continuous disclosure, if listed), and CISC (SOCI Act, if in scope). Each has different forms, different content requirements, and different (but overlapping) timeframes.

10 / How we help

What the Cliffside approach to CPS 234 compliance actually looks like.

We hold ISO/IEC 27001:2022 certification ourselves and advise APRA-regulated entities across banking, insurance, and superannuation on CPS 234 compliance. We understand what APRA is actually finding in tripartite assessments — because we see the findings, assess against them, and help entities remediate them.

Our Lighthouse Assessment provides an independently verified picture of your CPS 234 maturity — mapped against all eight obligation areas, calibrated against the six common gaps APRA published in 2023, and honest about the distance between your self-assessed position and where an independent assessor would place you. We will tell you what your tripartite assessment is likely to find before APRA does.

  • Independently verified CPS 234 maturity rating across all 36 operative paragraphs
  • Honest assessment against APRA's six published gap categories — with specific findings
  • Third-party security assessment programme design — scoped correctly under Para 16, 22, 28, and 34
  • Notification readiness review — 72-hour incident protocol, 10-business-day weakness protocol
  • Board reporting framework that meets APRA's expectation for meaningful board engagement
  • Integration with your ISO 27001 ISMS where applicable — no duplicate effort
  • CPS 230 gap assessment — material service provider registers, critical operations identification
  • Transferable report — yours to use, share with auditors, or present to APRA

The pattern across the tripartite assessments is consistent: entities are surprised by the gap between their self-assessed position and independent verification. If you haven't had your CPS 234 compliance independently assessed since the 2023 findings were published, your assessment predates the benchmarks APRA is now applying.

APRA CPS 234

Know what
APRA will
find —
before they do.

The Cliffside Lighthouse Assessment delivers an independently verified CPS 234 maturity rating across all 36 operative paragraphs — calibrated against APRA's published tripartite findings and the six common gaps identified across more than 300 entities. We tell you honestly where your compliance programme stands and what to fix before your next regulatory review.

Book Free Consultation → CPS 234 Services
What you get from the Lighthouse Assessment
  • Independently verified maturity rating across all 36 CPS 234 operative paragraphs
  • Assessment against APRA's six published tripartite gap categories — with specific findings
  • 72-hour and 10-business-day notification readiness review
  • Third-party security programme assessment against Para 16, 22, 28, and 34
  • Board reporting framework review against APRA's stated expectations
  • Transferable report — yours to share with auditors, your board, or APRA