What It Is

ISO 37301:2021 – Compliance management systems – Requirements with guidance for use is a certifiable international standard for establishing, implementing, maintaining, and improving effective compliance management systems (CMS). It replaces guidance-only ISO 19600, using a risk-based approach, PDCA cycle, and High-Level Structure (HLS) for broad applicability across organizations.

Key Components

• Core clauses: context, leadership, planning, support, operation, performance evaluation, improvement.
• Identifies compliance obligations, assesses risks/opportunities, sets objectives/controls.
• Emphasizes whistleblowing, competence (ISO 37303), measurement (ISO 37302).
• Supports third-party certification via accredited bodies like ANAB.

Why Organizations Use It

• Provides external validation, reduces regulatory/reputational risks.
• Builds integrity culture, enhances stakeholder trust.
• Integrates with ISO 9001/14001/27001; aids ESG/SDGs.
• Drives continual improvement, investor confidence.

Implementation Overview

• Phased: gap analysis, register building, training, audits, certification.
• Scalable for SMEs to enterprises, all sectors.
• 3-year certification cycle with surveillance audits.

What It Is

APRA Prudential Standard CPS 234 (Information Security) is a binding prudential regulation for APRA-regulated financial institutions in Australia. Effective from 1 July 2019, it requires entities to maintain information security capabilities commensurate with threats and vulnerabilities, minimizing impacts on confidentiality, integrity, and availability (CIA) of information assets, including those managed by third parties. It employs a risk-based, assurance-driven model emphasizing governance, testing, and rapid notification.

Key Components

• Board ultimate responsibility (para 13) and defined roles (para 14)
• Asset classification by criticality and sensitivity (para 20)
• Commensurate controls across asset lifecycle (para 21)
• Systematic testing, internal audit assurance (paras 27-34)
• 72-hour notification for material incidents; 10 business days for control weaknesses (paras 35-36) No fixed controls; proportional to risk; integrates with CPS 220/230.

Why Organizations Use It

• Mandatory compliance avoids APRA penalties, enforcement
• Enhances cyber resilience, third-party oversight
• Protects stakeholders, ensures operational continuity
• Builds regulatory trust, competitive edge in finance

Implementation Overview

Phased approach: gap analysis, policy framework, asset inventory, controls/testing, third-party assessments. Targets banks, insurers, super funds; ongoing internal audit, no external certification but APRA supervision.