APRA’s new mandatory Prudential Standard, CPS-234, commenced on 1 July 2019.
It specifies new cybersecurity requirements to ensure APRA-regulated entities tighten their cyber security against information security incidents(including cyber attacks). But does it go far enough?
The regulation seeks to minimise the likelihood of and impact of information security incidents concerning confidentiality, integrity and information systems, by ensuring information security capability is commensurate with information security vulnerabilities and threats.
InfoSecAssure reviewed this regulation against requirements set by many other industry bodies,including but not limited to: ISO 27001, NIST Cyber Security Framework, SOC2 Trust Services Criteria and The Australian Government Information Security Manual (ISM). We found that APRA CPS-234 regulations are very light on defining the broad range of security controls likely required to appropriately protect your organisation however they have a specific focus on the supply chain more than other standards.
Security policies based solely on CPS-234 may omit critical aspects of an information security management plan necessary to keep your organisation safe.
InfoSecAssure, has developed a comprehensive of questions to help guide your organisation in becoming APRA CPS 234 compliant.
Contact InfoSecAssure today for access to our full, detailed guidelines for implementing APRA 234, including templates. Or for general advice on how to deliver APRA CPS-234 as part of your overall information security program.