What is the primary objective of APRA CPS 234?

APRA CPS 234 requires regulated entities to maintain an information security capability commensurate with vulnerabilities and threats to information assets. This minimises the likelihood and impact of incidents on confidentiality, integrity or availability (CIA), including assets managed by related parties or third parties, enabling continued sound operation (paragraphs 1, 15-16). Effective 1 July 2019.

Who is legally or professionally required to comply with APRA CPS 234?

APRA CPS 234 applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers and RSE licensees. For Heads of groups, it extends group-wide, including non-regulated entities (paragraphs 2-4). Foreign ADIs, Category C insurers and eligible foreign life insurers comply for Australian branch operations only (paragraph 3).

Does APRA CPS 234 require an external audit or third-party certification?

No, APRA CPS 234 does not mandate external audits or third-party certification. It requires internal audit to review design and operating effectiveness of controls, including those of related parties and third parties, by appropriately skilled personnel (paragraphs 32-34). Entities may rely on third-party assurance if internal audit assesses its adequacy for material-impact assets (paragraph 34).

How often should an assessment for APRA CPS 234 be performed?

APRA CPS 234 requires the testing program to be reviewed at least annually, or upon material changes to information assets or the business environment. Systematic testing of control effectiveness must occur with frequency commensurate with vulnerability/threat changes, asset criticality/sensitivity, incident consequences and exposure to untrusted environments (paragraphs 27, 31).

What are the consequences of non-compliance with APRA CPS 234?

Non-compliance with APRA CPS 234 exposes entities to APRA's prudential enforcement powers, including directions, penalties and heightened supervision. Entities must notify APRA within 72 hours of material incidents (actual/potential material impact on entity/customers) and within 10 business days of material control weaknesses not remediable timely (paragraphs 35-36). APRA may adjust requirements in writing (paragraph 11).

Can APRA CPS 234 be mapped to other international frameworks?

Yes, APRA CPS 234's outcomes-based requirements for governance, controls, testing and third-party management align with frameworks like ISO 27001 and NIST Cybersecurity Framework. It emphasises commensurate capability, asset classification and assurance, allowing mapping to support operationalisation without prescribing specific controls (PPG 234 guidance).

What is the first step to begin implementing APRA CPS 234?

The first step is for the Board to approve oversight of information security, ensuring defined roles/responsibilities and an information security capability commensurate with threats (paragraphs 13-15). This establishes governance, followed by asset classification by criticality/sensitivity (paragraph 20).

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security. It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, embed top management leadership, and integrate risk treatment aligned with ISO 31000. The SMS holistically governs policy, objectives, operational controls, performance evaluation, and continual improvement to protect value across supply chains.

Who is legally or professionally required to comply with ISO 28000?

ISO 28000 is voluntary and applies to all organization types, sizes, and sectors influencing supply chain security, with no legal mandates or thresholds like employee count or revenue. It targets logistics providers, manufacturers, retailers, ports, and government agencies handling goods transport, storage, or related activities. Compliance is driven professionally by customer requirements, contractual flow-downs, insurance incentives, and market access needs, requiring tailoring via context analysis (Clause 4) for proportionality.

Does ISO 28000 require an external audit or third-party certification?

No, ISO 28000 does not require external audits or third-party certification; conformity may be verified internally or externally. Clause 9 mandates a risk-based internal audit program for SMS effectiveness. Certification follows ISO 28003 guidelines via accredited bodies, typically involving Stage 1 (documentation) and Stage 2 (implementation) audits, with annual surveillance, but remains optional for assurance or stakeholder demands.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires a maintained risk assessment and treatment process (Clause 8.3), with internal audits at planned intervals (Clause 9.2) and management reviews at planned intervals (Clause 9.3), determined by risk, prior results, and changes. Assessments are not fixed-frequency but ongoing via PDCA, triggered by context shifts (Clause 4), nonconformities (Clause 10), or performance data (Clause 9.1), ensuring continual relevance without specified timelines.

What are the consequences of non-compliance with ISO 28000?

ISO 28000 is voluntary, so non-compliance carries no direct legal penalties, fines, or sanctions. Consequences are indirect: heightened supply chain disruptions, financial losses from incidents, regulatory scrutiny in trade facilitation, insurance premium increases, lost contracts due to unmet partner requirements, and reputational damage from security failures, emphasizing risk-managed SMS for business resilience.

Can ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with ISO High Level Structure (Annex SL) for integration with other management systems via shared PDCA and clauses. It references ISO 31000 for risk processes (Clause 8.3), ISO 22301 for security plans (Clause 8.6), and bibliography items like ISO 19011 for audits, enabling combined governance, unified audits, and risk registers without sector-specific mappings.

What is the first step to begin implementing ISO 28000?

The first step is determining the organization's context, interested parties, and SMS scope (Clause 4), including internal/external issues and supply chain boundaries. This foundational analysis identifies relevant requirements, externally provided processes, and documented scope, informing leadership policy (Clause 5) and risk planning (Clause 6) for tailored implementation.

Standards Comparison

APRA CPS 234 vs ISO 28000

APRA CPS 234

Mandatory

2019

Australian prudential standard for information security resilience

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

APRA CPS 234 mandates information security resilience for Australian financial firms with strict notifications, while ISO 28000 offers voluntary supply chain security framework globally. Firms adopt CPS 234 for compliance, ISO 28000 for certification and resilience.

Information Security

APRA CPS 234

APRA Prudential Standard CPS 234 Information Security

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Board ultimate responsibility for information security
72-hour APRA notification for material incidents
Extends to third-party managed information assets
Asset classification by criticality and sensitivity
Systematic testing and internal audit assurance

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based approach aligned with ISO 31000
PDCA cycle for continual security improvement
Supply chain-focused operational controls and plans
Leadership commitment and top management accountability
Integration with other ISO management systems

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

APRA CPS 234 Details

What It Is

APRA Prudential Standard CPS 234 (Information Security) is a binding regulation for Australian financial institutions. Effective from 1 July 2019, it mandates resilient information security capabilities against cyber threats, covering confidentiality, integrity, and availability of assets, including those managed by third parties. It adopts a risk-based, assurance-driven approach with board accountability.

Key Components

Governance: Board oversight, defined roles (paras 13-14).
Risk management: Asset classification by criticality/sensitivity (para 20).
Controls: Commensurate protections across asset lifecycle (para 21).
Testing/assurance: Systematic testing, internal audit (paras 27-34).
Reporting: 72-hour incident notification, 10-day weakness alerts (paras 35-36). No fixed controls; aligns with ISO 27001/NIST; compliance via evidence, no certification.

Why Organizations Use It

Mandatory for APRA-regulated entities (banks, insurers, super funds). Reduces incident impact, ensures operational continuity, builds customer trust. Mitigates regulatory penalties, enforcement actions; enhances resilience, third-party oversight.

Implementation Overview

Phased: gap analysis, policy framework, asset inventory, controls/testing, incident plans. Applies to all sizes via commensurability; group-wide for heads. Internal audit validates; ongoing maintenance required.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international certification standard for establishing, implementing, and improving a security management system (SMS) focused on supply chain security. It uses a risk-based, PDCA (Plan-Do-Check-Act) approach to manage threats like theft, sabotage, and disruptions.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Emphasizes risk assessment (aligned with ISO 31000), operational controls, and security plans.
Built on harmonized ISO structure for integration; no fixed controls, tailored to risks.
Certification via third-party audits per ISO 28003.

Why Organizations Use It

Reduces supply chain risks and incidents.
Meets contractual, regulatory, and insurance needs.
Enhances resilience, compliance, and partner trust.
Provides market access and competitive edge.

Implementation Overview

Phased: gap analysis, risk assessment, controls, training, audits.
Scalable for all sizes/industries; 6-36 months typical.
Involves leadership policy, supplier controls, continual reviews.

Key Differences

Aspect	APRA CPS 234	ISO 28000
Scope	Information security and cyber resilience	Supply chain security management system
Industry	Australian financial institutions only	All industries worldwide, sector-agnostic
Nature	Mandatory prudential standard, enforceable	Voluntary certification management standard
Testing	Systematic independent testing, internal audit	Internal audits, management reviews, certification
Penalties	Regulatory enforcement, penalties, directions	No legal penalties, loss of certification

Scope

APRA CPS 234

Information security and cyber resilience

ISO 28000

Supply chain security management system

Industry

APRA CPS 234

Australian financial institutions only

ISO 28000

All industries worldwide, sector-agnostic

Nature

APRA CPS 234

Mandatory prudential standard, enforceable

ISO 28000

Voluntary certification management standard

Testing

APRA CPS 234

Systematic independent testing, internal audit

ISO 28000

Internal audits, management reviews, certification

Penalties

APRA CPS 234

Regulatory enforcement, penalties, directions

ISO 28000

No legal penalties, loss of certification

Frequently Asked Questions

Common questions about APRA CPS 234 and ISO 28000

APRA CPS 234 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Why applying the NIST CSF Standard is a Life-Saver!

Discover why NIST CSF 2.0 is a life-saver for organizations. This flexible framework's 6 functions—Govern, Identify, Protect, Detect, Respond, Recover—boost res

Top 5 Reasons Automation Tools Like Vanta Slash SOC 2 Type 2 Timelines from Months to Weeks

Automation tools like Vanta cut SOC 2 Type 2 prep from 6 months to 6 weeks, saving 70% costs. See SignWell examples, AWS/Okta/GitHub integrations. CISOs: Get fi

Top 10 Reasons CMMC Level 3 Certification Unlocks Competitive Edge for Primes Handling Critical DoD Programs

Discover top 10 reasons CMMC Level 3 certification unlocks competitive edge for DoD primes. Reduced APT risks, procurement prefs, NIST 800-172 compliance via v2

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how APRA CPS 234 and ISO 28000 compare against other standards

Other APRA CPS 234 Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Governance: Board oversight, defined roles (paras 13-14).

Risk management: Asset classification by criticality/sensitivity (para 20).

Controls: Commensurate protections across asset lifecycle (para 21).

Testing/assurance: Systematic testing, internal audit (paras 27-34).

Reporting: 72-hour incident notification, 10-day weakness alerts (paras 35-36). No fixed controls; aligns with ISO 27001/NIST; compliance via evidence, no certification.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.

Emphasizes risk assessment (aligned with ISO 31000), operational controls, and security plans.

Built on harmonized ISO structure for integration; no fixed controls, tailored to risks.

Certification via third-party audits per ISO 28003.

Aspect

APRA CPS 234

ISO 28000

Scope

Information security and cyber resilience

Supply chain security management system

Industry

Australian financial institutions only

All industries worldwide, sector-agnostic

Nature

Mandatory prudential standard, enforceable

Voluntary certification management standard

Testing

Systematic independent testing, internal audit

Internal audits, management reviews, certification

Penalties

Regulatory enforcement, penalties, directions

No legal penalties, loss of certification