AlvorAdvisory

Assess · APRA-regulated

APRA CPS 234 and CPS 230 readiness, evidenced before you attest.

APRA-regulated entities carry two binding obligations: CPS 234 for information security, and CPS 230 for operational risk and resilience, now in force. Your board attests to both. We measure your capability against each, control by control, and hand you the gap register and the assurance your board and APRA expect to see.

Book a consultation All engagements

Scope agreed in writing before any work. No obligation.

APRA CPS 234 · CPS 230Board-ready assuranceMaps to ISO 27001 and SOC 2

What you are commissioning

Two standards, two engagements, one path.

This page is backed by two named engagements from the Assess track: information-security readiness against CPS 234, and operational-resilience readiness against CPS 230. Each is scoped on its own, and teams often run them together.

Assess trackTypically 3–4 weeks

APRA CPS 234 Information Security Readiness

Meet the prudential standard your board attests to, with the evidence to prove it.

Best for APRA-regulated entities and the providers who serve them.

Includes

Information-security capability assessed against each CPS 234 requirement, from policy to control testing
Information-security roles defined and the board's ultimate accountability mapped
The classification of information assets by criticality and sensitivity reviewed
Third-party and related-party arrangements tested against the standard's reach into your supply chain

Deliverables

CPS 234 readiness reportControl-testing gap registerBoard-ready assurance summary

Assess trackTypically 3–5 weeks

APRA CPS 230 Operational Resilience Readiness

Show you can keep critical operations running through disruption, and that your providers can too.

Best for APRA-regulated entities preparing for CPS 230.

Includes

Critical operations identified, with tolerance levels for disruption set and tested
Operational risk and business-continuity capability reviewed against CPS 230
Material service-provider arrangements mapped, with concentration and exit risk surfaced
Scenario testing of severe-but-plausible disruption against your tolerances

Deliverables

CPS 230 readiness reportCritical-operations and tolerance registerService-provider risk map

Three reasons APRA-regulated teams call.

The board has to attest

CPS 234 makes your board ultimately responsible for information security, and CPS 230 raises the bar on operational resilience. Directors want evidence behind the attestation, not assurances. We give them a defensible read.

CPS 230 is now in force

The operational-risk standard commenced on 1 July 2025, with extended timing for some service-provider requirements. Teams that built for CPS 234 alone need to close the resilience and service-provider gaps the new standard introduces.

You serve a regulated entity

You are a material service provider to a bank, insurer, or superannuation fund, and their CPS 234 and CPS 230 obligations now reach into your controls. A readiness read lets you answer their assurance requests with evidence.

The method

How we read you against the prudential standards.

Control by control, against the standard's own words

CPS 234 capability is assessed against each requirement: information-security roles and board accountability, the classification of information assets, control implementation and testing, and incident response. No paraphrase, the standard as written.

Critical operations and tolerances, made explicit

CPS 230 turns on knowing your critical operations and the tolerance levels for disruption you can sustain. We identify them, test them against severe-but-plausible scenarios, and surface where continuity and recovery fall short of the tolerances you have set.

The supply chain the standards reach into

Both standards extend to the providers you depend on. We map material service-provider arrangements, surface concentration and exit risk under CPS 230, and test the third-party assurance CPS 234 requires, so the obligations you have passed down are actually being met.

Mapped, so you evidence once

Findings are cross-mapped to ISO 27001 and SOC 2, so the work you do for APRA also serves the certifications your customers ask for. One control set, evidenced once, rather than a separate project per regulator.

The path

From readiness to a board you can stand in front of.

Readiness is the first move, and every step after it is a separate decision that stays yours.

1
Readiness: the gap register against CPS 234 and CPS 230, with a board-ready assurance summary
2
Remediation: gaps closed under Build, by us, your team, or a partner under our oversight
3
Assurance: control testing and evidence kept current, continuously, under Operate

Questions

What teams ask about this engagement.

Is CPS 230 actually in force?

Yes. CPS 230 commenced on 1 July 2025, replacing the earlier business-continuity and outsourcing standards, with some service-provider requirements phased on a longer timeline. We assess against the standard as it now binds you and flag where transitional timing still applies.

Can we do CPS 234 and CPS 230 together?

Usually yes, and it is the efficient path. The two overlap on governance, third-party risk, and incident management, so a combined engagement avoids assessing the same ground twice. Each still resolves to its own readiness report, so the board sees each obligation clearly.

We are a service provider, not an APRA entity. Does this apply to us?

It can reach you. Both standards make APRA-regulated entities responsible for the risks their material service providers carry, so those entities increasingly require evidence from you. A readiness read lets you meet those requests with a defensible position rather than a questionnaire scramble.

Do you certify our CPS 234 or CPS 230 compliance?

No, and that is deliberate. Compliance with a prudential standard is a matter between the entity, its board, and APRA, and independent assurance is exactly what the standards contemplate. We prepare you, evidence the gaps, and stand beside you, but we never mark our own work.

How does this sit with our ISO 27001 or SOC 2 program?

They reinforce each other. Most of what CPS 234 expects maps to ISO 27001 Annex A and the SOC 2 criteria, so we measure once and map across, and you avoid running an APRA project and a certification project in parallel.