Skip to main content
search

IMPORTANT MESSAGE: Australian Prudential Regulation Authority has put the finance industry on notice about non-compliance with information security standard CPS 234.

Are your third-party controls effective?

Do you have systematic security control testing in place?

Are you regularly testing incident response plans?

If you answered no to any of these questions, Avocado can help NOW. Contact us for a free 15-minute consultation. Preparation for CPS230 should now be underway. See below for more details.

Download the CPS 230 & CPG 230 checklist for Boards and Executives

What is CPS 230? For an overview of the Standard, read our blog post first: Strengthening Operational Risk Management: A Closer Look at CPS 230. 

Need to understand your tech, cyber and third-party implications for CPG 230? Read our blog, with downloadable checklist: CPG 230: Operational Risk Management.

CPS 230 takes effect from 1 July 2025 for pre-existing contractual arrangements at the next renewal date, and officially applies from 1 July 2026 for existing service providers. Organisations’s must act during this transition to ensure they uplift their maturity. For an overview of the Standard, read our blog post: Strengthening Operational Risk Management: A Closer Look at CPS 230. 

This checklist acts as a guide to implement new clauses and areas of uplift to comply with CPS 230, as well as best practice recommendations for CPG 230.

This Operational Risk Checklist is designed with a focus on the Board and Executive. It aims to facilitate their understanding and ensure they are asking the right questions about the organisation’s existing frameworks and the necessary controls to address operational risks. It can also serve as a guide for establishing effective operational risk practices aligned with CPS 230 and CPG 230, especially in the context of technology and cybersecurity.

This checklist correlates each CPS 230 and CPG 230 clause with the ISO 3100 Framework, providing a clear path toward achieving compliance. Each question provides a solid foundation for organisations to assess their CPS 230 compliance and identify areas for uplift or review. Avocado offers services for all areas outlined in this checklist and can help deliver invaluable support.

What’s covered in this checklist:

This publication provides a checklist for the new and uplifted requirements for CPS 230 and Best Practice recommendations for CPG 230. 

Entities that have already adopted comprehensive control frameworks like the NIST Cyber Security Framework (NIST CSF) and risk management frameworks like ISO 31000 may find the implementation of CPS 230 relatively straightforward. These existing frameworks can align well with the new requirements as highlighted below and within Avocado’s checklist.

Risk Management Process for CPS 230 and CPG 230 aligned to ISO 3000

Want to know more about our CPS 230 Services? 

Avocado offers services to support APRA-regulated organisations comply with CPS 230 and best practice recommendations for CPG 230. Reach out to our team to understand how we can assist you enhance your operational resilience.

If you require assistance to ensure your compliant with the new Standard or are interested in tools to support your risk management approach, register for a complimentary cyber strategy consultation.

Our CPS 230 Services

NIST policy framework implementation

NIST is a best practice framework for organisations looking to strengthen their resilience. Avocado can assist in translating CPS 230 requirements into NIST Policy Framework implementation.

Third and Fourth-Party Risk Management

Third Party and fourth Party Risk Management help you identify and safeguard an organisations crown jewels. Avocado's TPRM and fourth party risk services help manage those risks associated with both third and fourth parties.

Control Assurance Services

Avocado offers a full-suite of control assurance services and assessments to ensure compliance. These are typically conducted annually.

Automation and Managed Services

Avocado offers automation and managed services for all CPS 230 obligations, streamlining cybersecurity risk management.

Risk Treatment Options

Avocado aids in managing risks by implementing treatment options, including remediation uplift where required.

Business Continuity Planning

Avocado can provide support for robust business continuity planning.

Close Menu