Skip to content

APRAcadabra – APRA CPS 234 compliance tips for service providers

Andrew Robinson |

January 13, 2020

APRAcadabra – APRA CPS 234 compliance tips for service providers


If you already (or wish to) work with APRA regulated entities, this is for you.


Great news! Our friends at APRA have given your clients until July 1 this year to achieve compliance with CPS 234. Although, that’s… just over 5 months away. Time to get busy.

After breaking it down, you can tell that APRA CPS 234 appears quite straight forward (always awesome), which means there are loads of opportunities for Service Providers!

The first opportunity is helping to identify where your client’s sensitive information is stored or processed, exactly how sensitive it is and who handles it – including any access by third parties.



Other opportunities sit in identifying the roles and responsibilities for information security including implementation of controls, testing control effectiveness and performing audit activities.

However, there is one huge opportunity for Service Providers, which we’ll get to in a tick.


Heads up.

First, it pays to see that APRA CPS 234 is closely aligned with ISO/IEC 27001. Meaning, it’s an achievable and comparative benchmark for information security in APRA regulated entities.

It is not overly prescriptive, so it must be interpreted commensurate to the risk presented to regulated entities of different sizes and natures. That’s where you come in.

This brings us to the greatest opportunity for Service Providers – helping to perform assessments across multiple customers and their third parties within the timeframe given for compliance.

Working backwards from the 1 July 2020 deadline, regulated entities will need to:

1. Report on the overall ‘status of compliance’ to the Board (and to APRA if there are any detected incidents or material weaknesses)

2. Perform an internal audit against the APRA CPS 234 requirements (possibly with expert option)

3. Conduct independent testing of control effectiveness

4. Complete any necessary rework to implement expected requirements (which may require an initial gap analysis / assessment)

That doesn’t leave much time!


Who you gonna call?

Get yourself a combined assessment and management platform that will help you get all this done thoroughly and retain your customers over the long term.

With 6clicks for Service Providers, you can quickly and easily perform assessments of clients and their third parties against ARPA CPS 234.

Use our built-in question set available from the 6clicks Marketplace or, create your own.

You can refer customers using your unique 6clicks Referral URL and access customer accounts to work with them like the way accountants work with their customers on Xero.

Our platform can also help you:

– Implement the requirements of APRA CPS 234 on behalf of regulated entities.

– Map APRA CPS 234 requirements to internal controls and policies

– Record their information assets and classifications.

– Provide risks and treatment plans.

– Report progress of control implementation, security incidents and issues.


For more information, Book a Demo with us today! 

Book your demo