← Frameworks / Regulatory

APRA Prudential Standard CPS 234 Information Security

Mandatory prudential standard for all APRA-regulated entities in Australia (banks, insurers, superannuation funds). Requires information security capability, policy frameworks, asset classification, control implementation, incident management, testing of control effectiveness, and 72-hour APRA breach notification.

Clauses: 11

Avg Coverage: 78.6%

Publisher: Australian Prudential Regulation Authority Version: 2019

APRA CPS 234 → SP 800-53 SP 800-53 → APRA CPS 234 Coverage Analysis

Clause	Title	SP 800-53 Controls
Para 15	An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets	PM-01 PM-03 PM-13 PM-09 PL-09 PL-10 RA-07
Para 16-17	Board must ensure adequate maintenance of information security, senior management implement information security controls	PM-01 PM-02 PS-09
Para 18	Clearly defined information security-related roles and responsibilities	PM-02 PS-01 PS-02 PL-01 PS-09
Para 19-20	Maintain information security capability to manage information security vulnerabilities and threats commensurate with threats	PM-13 AT-02 AT-03 PM-03 RA-05 SI-02 AT-06 RA-07
Para 21	Information asset identification and classification	RA-02 CM-08 PM-05 CM-12 CM-13
Para 22-23	Information security controls must protect information assets commensurate with criticality and sensitivity, and be subject to testing	AC-02 AC-03 AC-06 AC-17 SC-07 SC-08 SC-12 SC-13 SC-28 SI-02 SI-03 SI-04 SI-07 AU-02 AU-03 AU-06 AU-09 AU-12 CA-02 CA-08 SC-45 SI-16
Para 24	Testing by an independent party	CA-02 CA-08
Para 25	Notify APRA of material information security incidents	IR-06 IR-09
Para 26	Notify APRA of material information security control weaknesses	CA-05 IR-06 PM-04 RA-07
Para 27-28	Internal audit review of information security controls	CA-02 PM-06
Para 29-33	Related party and third party arrangements	SA-04 SA-09 SR-01 SR-03 SR-06 SA-21