Skip to main content
Image coming soon

APRA CPS 234 Cyber Control Evidence Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

APRA CPS 234 Cyber Control Evidence Playbook

Build the control evidence pack that satisfies APRA examiners and your internal audit team in the same cycle.

The APRA examiner asks to see the evidence behind a specific preventive control, and the team cannot produce a document that traces directly to that CPS 234 category. The policy is accurate. The control exists. The artefact is not organised in the way the standard requires.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

APRA CPS 234 demands that regulated institutions continuously assess the effectiveness of their information security controls, not just attest that controls exist. For a cyber security practitioner, that means producing evidence at the control level, classified against APRA's asset categories, with vendor assessments packaged correctly and penetration test findings mapped to the material weakness definition. Internal audit frameworks capture different things. What satisfies a Big4 audit team does not automatically satisfy an APRA examiner who wants to see the evidence chain from asset register to control to artefact to outcome. The notification decision, whether a control gap crosses the material weakness threshold, is where most teams either overreact or miss the requirement entirely.

What you walk away with

  • Map your institution's information assets and assigned controls to APRA CPS 234 categories, with evidence traceable at the control level.
  • Build a third-party vendor security assessment package that satisfies APRA's ongoing oversight requirements.
  • Interpret penetration test findings against the material information security control weakness threshold and document the assessment correctly.
  • Prepare a board-level CPS 234 self-assessment that holds up under examiner scrutiny and satisfies director attestation obligations.
  • Design a repeatable evidence collection process that keeps the pack current throughout the year rather than assembled reactively before each cycle.

The 12 modules

Module 1. APRA CPS 234 Framework and Examiner Expectations
APRA CPS 234 sets a minimum standard, but CPG 234 guidance reveals where the examiner's bar actually sits. This module maps the standard's structure, explains the difference between a targeted review and a risk-based supervisory visit, and identifies the specific self-assessment obligations that the cyber team owns directly versus those owned by the board. You finish with a clear map of which requirements call for documentary evidence versus policy attestation, and where examiners typically look first.
Module 2. Building the Information Asset Register
The information asset register is the spine of CPS 234. Every evidence requirement traces back to a classified asset, a criticality rating, and an assigned control owner. This module covers how to build and maintain a register that satisfies the prudential standard, how APRA examiners scrutinize classification decisions, and how gaps in the register cascade into indefensible control assertions during a review. Includes a register template with APRA-aligned fields and worked examples for financial services asset categories.
Module 3. Control Effectiveness Assessment Structure
APRA wants evidence that controls are effective, not just that they exist. This module covers how to structure a control effectiveness assessment: what preventive, detective, and response controls each require as supporting artefacts, how to rate effectiveness without overstating when evidence is partial, and how to handle controls where effectiveness depends on a third party's own environment. The assessment structure produced here is designed to survive both internal audit review and direct APRA examiner scrutiny.
Module 4. Penetration Testing Scope, Findings, and Remediation Tracking
Penetration testing under CPS 234 is a mandatory control, and the test scope must connect directly to your information asset register. This module covers how to scope a pen test so APRA can trace the connection to your classified assets, how to interpret findings against the material weakness definition, how to build a remediation tracker that demonstrates active and time-bound management of each finding, and what an acceptable close-out record looks like when an examiner reviews it.
Module 5. Third-Party and Vendor Security Assessments
CPS 234 extends your control obligations to any third party with access to your information assets. This module covers how to build a vendor security assessment questionnaire aligned to APRA's categories, how to review a vendor's own security attestations including SOC 2 reports against your specific control requirements, how to document ongoing oversight rather than point-in-time assessment, and how to handle vendors who cannot fully cooperate with assessment requests without creating a gap in your compliance record.
Module 6. Incident Classification and Evidence Capture
Incident response under CPS 234 requires both an operational response and an evidence trail that supports a notification decision. This module covers how to classify incidents against APRA's categories from the moment of detection, what evidence to capture during the response that you will need for the post-incident review, how to document the decision timeline, and how to structure the post-incident review so findings feed directly into your next control effectiveness assessment without requiring a separate analysis exercise.
Module 7. The Material Weakness Threshold and Notification Decision
Deciding whether a control gap crosses the material information security control weakness threshold is the highest-stakes judgment call in the CPS 234 cycle. This module walks through APRA's materiality definition, how to document the analysis that leads to a notification or no-notification decision, what a notification to APRA must contain and when it must be submitted, and how to maintain a defensible written record of control gaps that were assessed and determined not to meet the threshold.
Module 8. Board and Audit Committee Self-Assessment Reporting
The CPS 234 self-assessment must go to the board, and the board must be able to engage with it substantively enough to attest. This module covers how to structure the self-assessment document for board review, what directors need to understand to fulfill their attestation obligations, how to present control effectiveness ratings to non-technical directors without understating risk, and how to document that the board has received, reviewed, and acted on the information security self-assessment.
Module 9. Internal Audit Coordination and Evidence Pre-Submission
Internal audit conducts an independent assessment of CPS 234 compliance, and misalignment between internal audit ratings and the cyber team's self-assessment creates findings that are difficult to defend. This module covers how to coordinate with internal audit before the formal review cycle, how to pre-empt gaps by sharing control evidence in advance of fieldwork, how to respond when audit rates a control lower than your self-assessment, and how to manage the paper trail when disagreements remain unresolved before submission.
Module 10. Cloud-Hosted Assets and Shared Responsibility Evidence
When information assets covered by CPS 234 reside in cloud environments, the evidence of control effectiveness sits partly or entirely with the cloud provider. This module covers how to map cloud-hosted assets into your information asset register with the right criticality classification, how to assess a provider's security controls against APRA's requirements using their SOC 2 and shared responsibility documentation, and how to evidence ongoing oversight of controls that your institution does not directly operate or inspect.
Module 11. CPS 230 Operational Resilience Overlap and Joint Evidence
APRA's CPS 230 Operational Resilience standard overlaps substantially with CPS 234. Both require documented control environments, third-party assessments, and board-level attestation. This module maps the overlap between the two standards, identifies where a single piece of evidence can satisfy both, identifies where the requirements diverge and require separate documentation, and shows how to structure a compliance calendar that handles both standards without duplicating effort or creating conflicting records that internal audit and examiners will compare.
Module 12. Building a Repeatable Annual Compliance Cycle
A repeatable CPS 234 evidence collection process means the pack is not assembled from scratch each assessment cycle. This module covers how to design the evidence library structure, assign ownership for each control category, define the review cadence that keeps evidence current throughout the year, create handover documentation that survives team changes, and run the pre-submission review so the pack is examiner-ready before internal audit arrives. The output is a documented process, not a one-off checklist.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You own the CPS 234 self-assessment and the internal audit cycle is approaching: start with Modules 1 to 4 to establish the evidence structure, then Module 9 for internal audit coordination.
A vendor with access to your information assets cannot produce a current security assessment: go to Module 5 for the vendor assessment framework and the approach to non-cooperative vendors.
A control gap was identified in a penetration test and you need to determine whether it crosses the notification threshold: Modules 4 and 7 walk through the remediation tracking and the materiality decision in sequence.
Your board attestation document needs to be ready for the next board meeting: Module 8 covers the self-assessment structure, and Module 11 handles the CPS 230 overlap that boards are increasingly asking about.

What you get with this course

  • Twelve text-based modules in the Art of Service learning environment, self-paced and accessible immediately after purchase.
  • Downloadable information asset register template with APRA CPS 234-aligned classification and criticality fields.
  • Vendor security assessment questionnaire package mapped to APRA's third-party control categories.
  • Material weakness notification decision framework with a draft notification template.
  • Board-level self-assessment reporting template covering attestation obligations and control effectiveness presentation.
  • Hand-built implementation playbook, tailored to your specific role and control environment, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Assembling the CPS 234 evidence pack each cycle as a reactive exercise, with artefacts that satisfy internal audit but expose gaps when APRA examiners look for the evidence chain from asset to control to outcome.

After

A structured, year-round evidence collection process built to APRA's specific categories, with a working vendor assessment workflow, a documented notification decision framework, and a board self-assessment that holds up to examiner scrutiny.

What happens if you do not address this

An APRA CPS 234 finding is not a minor compliance note. A material information security control weakness that was identifiable but not notified carries supervisory consequences, including increased oversight requirements and potential prudential adjustments. The gap between an evidence pack that satisfies internal audit and one that satisfies APRA examiners is knowable and closeable. Leaving it open means the next examiner review surfaces it instead.

Who it is for

Cyber security professionals at APRA-regulated financial institutions who own or contribute to the CPS 234 compliance cycle. Senior Associates and Senior Analysts who are hands-on with control evidence, vendor security assessments, penetration test management, and internal audit coordination, and who need the evidence pack to hold up under both internal review and direct APRA scrutiny.

Who this is NOT for. Policy writers and governance managers who are not responsible for producing control-level evidence. Senior leaders who review and sign off on the self-assessment but do not build the underlying documentation. Teams at non-APRA-regulated entities.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Eight to twelve hours across twelve modules. Most practitioners work through one to two modules per sitting alongside active compliance work.

Why $199 is the right number

A Big4 advisory engagement to build an APRA CPS 234 compliance framework typically costs $50,000 to $150,000 and takes three to six months. This course delivers the same structural framework and evidence templates in hours, with artefacts you can apply directly to your existing asset register and control environment.

FAQ

Does this course cover APRA CPS 230 Operational Resilience as well?
Yes. Module 11 covers the overlap between CPS 234 and CPS 230 and shows how to structure your evidence to satisfy both standards without duplicating work or creating conflicting documentation.
Do I need formal compliance qualifications to use this course?
No. The course is structured for practitioners who are actively working on CPS 234 compliance, regardless of certification. It starts from the standard itself and builds the evidence framework from there.
Our institution is not a deposit-taking institution. Does CPS 234 still apply?
CPS 234 applies to all APRA-regulated entities: authorised deposit-taking institutions, general insurers, life companies, and registrable superannuation entity licensees. The course covers the standard as it applies across all entity types.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!