CPS 234 Software: Meet APRA Information Security Standard
The CPS 234 information security standard requires APRA (Australian Prudential Regulation Authority) regulated entities in Australia to uphold information security by managing cyber risk, implementing effective controls, having clearly defined information security roles & responsibilities and establishing a defined process to notify APRA of information security incidents. Camms software can support organizations to implement structured, best-practice processes to meet CPS 234 and CPS 230 requirements.
Cyber risk management
Implement best-practice cyber risk management to understand cyber risk exposure and set controls to reduce information security risk.
Cyber incident management
Report cyber incidents as they happen, conduct investigations, determine impact, and monitor cases until closed.
Asset management
Maintain a log of information assets classified by type – and document the criticality and severity if the data was compromised. Ensure IT equipment & licences are up to date by implementing effective cyber asset management.
IT third-party risk management
Protect your organization from cyber and IT risks associated with third parties with vendor risk assessments, vendor benchmarking, and performance monitoring.
CPS 234 software capabilities
Manage IT and Cyber Risks
Our cyber risk management solution empowers organizations to meet CPS 234 requirements by identifying cyber risks, creating IT and cyber risk registers, and conducting online cyber risk assessments. Firms can establish Key Risk Indicators (KRIs) and continuously monitor risk levels. Automated workflows facilitate risk escalation and the implementation of risk treatment actions.
Set controls to reduce cyber risk
To achieve compliance with the CPS 234 information security standard, the Camms platform provides a best-practice framework for companies to set controls to manage cyber risk. Capture critical details around vulnerabilities & threats, the critically and sensitivity of the data, the stage at which the information assets are within their lifecycle, and the consequences of a security incident. Controls can be linked to the relevant data set and any corresponding cyber risks in the risk register.
Testing and Control effectiveness
CPS 234 requires APRA regulated entities to test the effectiveness of its information security controls through a systematic testing program. The Camms CPS 234 software enables firms to establish a testing program that aligns with the rate at which threats & vulnerabilities change, considers the criticality & sensitivity of the data, examines the consequences of a security incident, exposure to environments where IT policies can’t be enforced, and the frequency of change to information assets. Firms can also perform control tests for controls relating to relevant third parties who hold company data. Any control deficiencies can easily be reported to the relevant stakeholder and automated workflows allow for swift escalation & resolution of control inefficiencies.
Third-Party Risk Management
Implement a best-practice third-party risk management process to effectively oversee the cyber risks and contractual arrangements with service providers. Create a vendor library that captures essential data on contract details, SLAs, and KPIs, relevant controls – and monitor ongoing performance against key metrics. Staff, vendors, and suppliers can conveniently complete questionnaires, surveys, and vendor risk assessments online through our vendor portal. Utilize dashboards and reports to easily track vendor performance and cyber third-party risks. Connect with third-party risk intelligence providers via API integrations to gain insights into vendor risk regarding financial stability, ethical considerations, legal and regulatory issues, and cybersecurity posture.
Demonstrate compliance with CPS234 and other standards & regulations
Firms can use the Camms platform to manage the regulatory requirements of CPS 234 and CPS 230 the operational risk standard from APRA. Organizations can set up an obligations library and include any applicable regulations (like CPS 234, CPS 230, GDPR and other information security standards and regulations) and any internal IT policies and monitor compliance by implementing step-by-step workflow processes and checks. Teams can receive notifications of pending regulatory cyber updates and implement a best-practice regulatory change management process.
Manage IT policies and ensure compliance
The tool can be used to establish an IT policy library and manage policy changes, approvals, signoffs, and attestations. Firms capture critical details regarding each policy and view reports on policy compliance and employee attestations.
Manage Cyber Audits
Firms can use our CPS 234 software platform to plan and schedule any internal and external audits (including your APRA CPS 234 and CPS 230 audits). Organizations can use best-practice workflows and forms to plan out and schedule audit requirements and internal auditors can complete the findings using online forms. All findings are captured in the platform and any recommendations can be implemented using best-practice case management workflows. Track recommendations and actions by linking audits back to risks and risk treatments where relevant. This provides complete end-to-end traceability and enables reporting to key stakeholders.
Manage & resolve cyber incidents
To align with the new CPS 234 information security standard, the Camms software includes best-practice incident reporting capabilities to support organizations report and resolve cyber incidents quickly in line with CPS 234 requirements. Controls can easily be implemented to lower incident rates, and cyber risks can be mapped to any related cyber incidents to ascertain the likely cause using root-cause analysis techniques.
APRA Notification Workflows
To meet CPS 234 requirements, firms must have a formal escalation process in place to notify APRA of a potential information security incidents and information security control weaknesses. When using the Camms platform to manage CPS 234 requirements, firms can implement workflows to ensure stakeholders are promptly notified of any cyber incidents and ineffective controls enabling them to notify APRA within the designated timeframe and fully document the notification process. Alerts are sent via email or SMS with a direct link to the platform – enabling firms to carry out the necessary escalation actions.
Discover how the Camms Platform can help APRA-Regulated entities meet the requirements of the CPS 230 Operational Risk Management Standard
Why choose the Camms platform to manage CPS 234 requirements?
Data security & privacy
The Camms CPS 234 platform is highly secure and certified to cybersecurity standards such as SOC Type 1 & 2, ISO 27001, and Cyber Essentials. Our CPS 234 platform features a structured permissions hierarchy, encryption, and audit trails to safeguard data privacy and ensure compliance with security requirements.
API integrations
The Camms cyber risk platform offers complex API integrations to assist firms to achieve compliance with CPS 234 information security requirements. These API integrations enable firms to integrate cyber risk and cybersecurity data from other spreadsheets and data sources directly into the platform – ensuring a single source of truth for information security data across all sites and departments.
Resources relating to Information Security & CPS 234
The latest and hottest pieces of content relating to CPS 234 and information security to keep you in the loop.
IT GRC: The Cornerstone of Operational Resilience in the Digital Era
In this eBook, our experts identify 8 ways software automation can benefit charities and not-for-profits. We offer insight into how software can digitise your entire
Cyber Risk Management: Does cyber risk get enough boardroom airtime?
This eBook highlights the threats that businesses are facing today, explains why cyber risk should be at the top of the boardroom agenda, and explains the integral part a GRC tool plays in tackling cyber threats.
10 Ways to Reduce Cyber Security Risk
Every business is at risk of cyber-attacks – with cybercrimes predicted to cost $10.5 trillion per year. Cyber security awareness means empowering the people connected
Frequently asked questions about
CPS 234
The prudential standard CPS 234 is a new information security standard that is applicable to APRA-regulated entities in Australia.
To operate in line with the requirements of the CPS 234 standard, organizations must:
- Clearly delineate the information security roles and responsibilities of the Board, senior management, governing bodies, and individuals.
- Maintain an information security framework that matches the size and scope of threats to information assets.
- Implement effective controls to protect information assets based on their criticality and sensitivity and conduct regular testing to verify the effectiveness of these controls.
- Notify APRA of significant information security incidents and control weaknesses.
Firms have until 1 July 2025 to align their information security processes with the APRA 234 standard. The CPS234 changes are therefore mandatory for an APRA-regulated entity from 1 July 2025.
The prudential regulation APRA CPS 234 applies to all APRA-related entities in Australia. It includes many organizations in the financial services industry. According to APRA CPS 234 applies to:
- Authorized deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorized under the Banking Act (authorized banking NOHCs).
- General insurers, including Category C insurers, non-operating holding companies authorized under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups.
- Life companies, including friendly societies and eligible foreign life insurance companies (EFLICs), and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs).
It is important for financial services firms to comply with APRA CPS 234 because many financial services firms in Australia are APRA-regulated making the new CPS 234 requirements mandatory for many financial services organizations.
There are several processes that organizations need to implement to meet CPS 234 APRA requirements to achieve compliance. These include:
- Ensuring the organization has clearly defined roles for cyber security responsibilities with ample board responsibility based on the size of the entity.
- Implementing a best-practice cyber risk management program to detect threats and vulnerabilities.
- Implement effective information security controls and perform regular control testing to check for vulnerabilities.
- Formalize a cyber incident reporting process that enables cyber incidents to be logged and resolved quickly.
- Establish a best-practice third-party risk management program to manage the information security risk associated with vendors and suppliers.
- Keep of log of information security asset types and capture the criticality & impact if the data was compromised.
- Create a formalized IT asset management process to ensure all IT equipment and licences are up to date and meet the required cybersecurity standards.
- Create and maintain effective cyber security policies and procedures.
- Have a process in place to report any information security incidents or control defects to APRA within the designated timeframes.
- Conduct regular internal audits to assess the design and operating effectiveness of information security controls and third-party IT compliance.
The key features of CPS 234 software include:
- Automated workflows and notifications
- Customizable online forms
- Searchable registers and logs
- Dashboards & reports
- API integrations with other data sources and systems
- Best-practice IT security compliance templates
- Integrations with third-party risk intelligence providers
The key features of APRA aligned CPS 234 software include:
- Cyber & IT Risk Management
- A cyber controls library, control testing, and monitoring
- Cyber incident management
- An obligations library to monitor compliance with relevant information security regulations and standards including CPS 234
- Third-Party risk management
- Policy Management
- Asset management
- Cyber audit capabilities
Organizations should:
- Implement a best-practice cyber risk management program to identify, assess and manage cyber risks, with effective internal controls, monitoring, control testing, and remediation plans.
- Implement a third-party risk management program to effectively manage the cyber risks associated with vendors including a service provider management policy, formal agreements, and robust monitoring.
- Create a cyber incident reporting process with clear escalation routes and workflows to ensure swift resolution.
- Create an asset management log to easily be able to report on aging IT equipment and expired licences.
- Create a data classification log to capture information assets and the impact if they were compromised.
- Create a formal process to notify APRA of any information security incidents of control failures within the required timelines.
- Establish an internal audit process to revise the design and effectiveness of information security controls and to ensure compliance with APRA CPS 234 requirements – with clear routes to implement remedial measures and address issues.
Firms should establish a best-practice third-party risk management program using CPS 234-compliant software. A GRC platform with vendor risk management capabilities will allow you to create a comprehensive vendor register that captures essential details such as vendor contracts, costs, key contacts, SLAs, and KPIs. You can easily monitor supplier performance, perform benchmarking & score carding (with integrations from risk intelligence providers), and conduct regular online vendor risk assessments through a central online vendor portal. Real-time dashboards and reports provide a complete view of your cyber risk exposure from vendors.
When selecting a CPS 234 compatible software platform to meet the regulatory requirements of CPS 234, leaders must consider:
- Does the platform offer sufficient capabilities to manage CPS 234 APRA requirements? – Look for a platform that offers cyber risk management, controls and control and vulnerability testing, cyber incident management, third-party risk management, asset management, policy management and other supporting functionality such as compliance and audit capabilities out-of-the-box.
- Can the CPS 234 platform be implemented in a way that meets the specific requirements of your organization?
- Can the cyber risk management capabilities scale with your firm as your needs expand and your IT GRC program matures – look for solutions that enable you to align cyber risk management with the relevant, controls, policies, procedures, audits, assets, and information security compliance obligations.
- What data privacy practices & security features does the CPS 234 tool offer as standard, and does it align with your internal IT requirements?
- Does the CPS 234 compatible software link to your other internal systems and data sources via APIs to pull relevant data into and out of the platform to ensure a single source of truth for cyber risk data – cutting out data input errors?
The benefits of using a GRC platform to manage CPS 234 requirements include:
- A reduction in time spent on cyber risk reporting, data aggregation, and administration tasks.
- GRC and cyber risk platforms provide a centralized view of cyber risk across the entire enterprise enabling you to take proactive measures and implement sufficient controls.
- Governance, Risk & compliance solutions enable the entire organization to understand CPS 234 requirements and actively participate in complying with the guidelines – completing cyber risk and control related tasks and logging and resolving cyber incidents as part of their daily role. This creates ample cyber risk data to inform business decision-making and provide proof of CPS 234 compliance.
- IT GRC solutions generate better visibility of an organizations cyber risk profile and many offer cyber incident reporting, asset management, compliance, policy management, ESG, business continuity, operational resilience, project risk management, and supply chain & third-party risk management in the same platform for a complete IT GRC process.
- CPS 234 enabled cyber risk platforms reduce the costs associated with cyber risk monitoring and reporting.
- CPS 234 compatible software platforms improve an organizations’ approach to cyber risk management, by facilitating crucial links between cyber risk management, cyber incidents, compliance violations, audit outcomes, assets, and policies.
- IT GRC solutions support firms to carry out adequate due diligence to provide proof of CPS 234 compliance to regulators.
- Poor quality cyber risk data due to a lack of data governance & data entry errors.
- Capturing cyber risk and incident data across various forms and spreadsheets creates data input problems like copy & paste errors, over written data, and incomplete fields.
- Disparate cyber risk and incident data held in dispersed, unintegrated spreadsheets creates poor quality data, and an inconsistent risk framework that results in distorted reporting outputs – causing problems with CPS 234 compliance.
- Relying on manual processes that lack automation slows down the cyber risk escalation and remediation process, allowing cyber risk to escalate to intolerable levels, leaving companies struggling to meet CPS 234 guidelines.
- Manual ad hoc processes affect compliance with CPS 234 – making it hard for firms to prove they are meeting requirements due to a lack of documented evidence.
- Disjointed processes and siloed data make it difficult to link cyber risks to the relevant controls and incidents, audits, and assets, causing gaps in CPS 234 compliance.
- Firms are unable to compare cyber risk & incident data across different sites due to inconsistent risk frameworks and siloed data. This makes it hard to make risk-based decisions and provide proof of CPS 234 compliance across departments and sites.
Get started and request a demo of our CPS 234 enabled information security software platform
Fill out our simple form to see the Camms’ CPS 234 compatible software solution in action.