CPS 234
Information Security.
APRA's prudential standard requiring information security capability commensurate with the size and nature of threats to a regulated entity's information assets. The first APRA standard to mandate notification of information security incidents to the regulator.
CPS 234's 72-hour notification clock means firms can no longer 'manage' an incident quietly. The standard's testing requirements are routinely cited in APRA audits, if you can't show controls have been tested at a frequency commensurate with risk, you've failed compliance, even if no incident has occurred.
What CPS 234 requires.
How BackPro handles each obligation.
Information asset register
Identify and classify information assets by criticality and sensitivity. Maintain an inventory that reflects how the asset's loss, unavailability, or compromise would affect the firm and its customers.
Information security capability
Maintain information security capability commensurate with the size and nature of threats. This includes people, processes, and technology, all three, not just the technical stack.
Implementation of controls
Implement information security controls designed to mitigate identified threats. Controls must be commensurate with the criticality of the protected asset.
Incident management
Maintain a documented incident management plan. Detect, respond to, recover from, and learn from information security incidents.
Testing of controls
Test the effectiveness of information security controls at a frequency commensurate with risk. Scenarios must include realistic threat conditions, and independent specialists must be used where appropriate.
Notification to APRA
Notify APRA within 72 hours of a material information security incident, and within 10 business days of a control deficiency identified through testing.
What BackPro produces for CPS 234.
The artifacts your auditor expects. Hashed, signed, timestamped, exportable. Generated continuously while you work, not assembled in the week before the audit.
Discovered, classified, and linked to the controls protecting each asset. Refreshed on system changes.
Documented people / process / technology capability with gap-analysis against APRA's expectations.
Per-control implementation evidence with configuration snapshots and owner attestation.
Per-incident timeline, decisions, communications, and post-incident review, generated automatically.
Scenario-by-scenario pass/fail evidence with reproducible test artefacts and remediation log.
Pre-formatted notification with incident classification, scope, timeline, and remediation plan.
CPS 234, in plain words.
See CPS 234 mapped to your own controls.
Forty‑five minutes with our team. We take your existing control register, map it against CPS 234 obligations, and show you which gaps BackPro closes automatically. The mapping is yours to keep whether you proceed with us or not.