← Frameworks / APRA CPS 234 / Control Mappings

APRA Prudential Standard CPS 234 Information Security

Mandatory prudential standard for all APRA-regulated entities in Australia (banks, insurers, superannuation funds). Requires information security capability, policy frameworks, asset classification, control implementation, incident management, testing of control effectiveness, and 72-hour APRA breach notification.

Controls: 54

Total Mappings: 66

Publisher: Australian Prudential Regulation Authority Version: 2019

APRA CPS 234 → SP 800-53 SP 800-53 → APRA CPS 234 Coverage Analysis

AC (4) AT (3) AU (5) CA (3) CM (3) IR (2) PL (3) PM (8) PS (3) RA (3) SA (3) SC (6) SI (5) SR (3)

AC Access Control

Control	Name	APRA CPS 234 References
AC-02	Account Management	Para 22-23
AC-03	Access Enforcement	Para 22-23
AC-06	Least Privilege	Para 22-23
AC-17	Remote Access	Para 22-23

AT Awareness and Training

Control	Name	APRA CPS 234 References
AT-02	Security Awareness	Para 19-20
AT-03	Security Training	Para 19-20
AT-06	Training Feedback	Para 19-20

AU Audit and Accountability

Control	Name	APRA CPS 234 References
AU-02	Auditable Events	Para 22-23
AU-03	Content Of Audit Records	Para 22-23
AU-06	Audit Monitoring, Analysis, And Reporting	Para 22-23
AU-09	Protection Of Audit Information	Para 22-23
AU-12	Audit Record Generation	Para 22-23

CA Security Assessment and Authorization

Control	Name	APRA CPS 234 References
CA-02	Security Assessments	Para 22-23Para 24Para 27-28
CA-05	Plan Of Action And Milestones	Para 26
CA-08	Penetration Testing	Para 22-23Para 24

CM Configuration Management

Control	Name	APRA CPS 234 References
CM-08	Information System Component Inventory	Para 21
CM-12	Information Location	Para 21
CM-13	Data Action Mapping	Para 21

IR Incident Response

Control	Name	APRA CPS 234 References
IR-06	Incident Reporting	Para 25Para 26
IR-09	Information Spillage Response	Para 25

PL Planning

Control	Name	APRA CPS 234 References
PL-01	Security Planning Policy And Procedures	Para 18
PL-09	Central Management	Para 15
PL-10	Baseline Selection	Para 15

PM Program Management

Control	Name	APRA CPS 234 References
PM-01	Information Security Program Plan	Para 15Para 16-17
PM-02	Information Security Program Leadership Role	Para 16-17Para 18
PM-03	Information Security and Privacy Resources	Para 15Para 19-20
PM-04	Plan of Action and Milestones Process	Para 26
PM-05	System Inventory	Para 21
PM-06	Measures of Performance	Para 27-28
PM-09	Risk Management Strategy	Para 15
PM-13	Security and Privacy Workforce	Para 15Para 19-20

PS Personnel Security

Control	Name	APRA CPS 234 References
PS-01	Personnel Security Policy And Procedures	Para 18
PS-02	Position Categorization	Para 18
PS-09	Position Descriptions	Para 16-17Para 18

RA Risk Assessment

Control	Name	APRA CPS 234 References
RA-02	Security Categorization	Para 21
RA-05	Vulnerability Scanning	Para 19-20
RA-07	Risk Response	Para 15Para 19-20Para 26

SA System and Services Acquisition

Control	Name	APRA CPS 234 References
SA-04	Acquisitions	Para 29-33
SA-09	External Information System Services	Para 29-33
SA-21	Developer Screening	Para 29-33

SC System and Communications Protection

Control	Name	APRA CPS 234 References
SC-07	Boundary Protection	Para 22-23
SC-08	Transmission Integrity	Para 22-23
SC-12	Cryptographic Key Establishment And Management	Para 22-23
SC-13	Use Of Cryptography	Para 22-23
SC-28	Protection of Information at Rest	Para 22-23
SC-45	System Time Synchronization	Para 22-23

SI System and Information Integrity

Control	Name	APRA CPS 234 References
SI-02	Flaw Remediation	Para 19-20Para 22-23
SI-03	Malicious Code Protection	Para 22-23
SI-04	Information System Monitoring Tools And Techniques	Para 22-23
SI-07	Software And Information Integrity	Para 22-23
SI-16	Memory Protection	Para 22-23

SR Supply Chain Risk Management

Control	Name	APRA CPS 234 References
SR-01	Policy and Procedures	Para 29-33
SR-03	Supply Chain Controls and Processes	Para 29-33
SR-06	Supplier Assessments and Reviews	Para 29-33