Skip to main content
Image coming soon

APRA CPS 234 Security Control Attestation

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

APRA CPS 234 Security Control Attestation

Build the evidence package that satisfies your APRA-regulated board attestation, from control testing through to documented exceptions.

The board attestation under CPS 234 requires a statement that information security controls are operating effectively. Every year, IT security teams at APRA-regulated firms spend weeks scrambling to turn control activity into attestable evidence. This course closes that gap with a repeatable process.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

CPS 234 obliges APRA-regulated entities to maintain an information security capability commensurate with the size and nature of threats. The board must attest annually. For IT security professionals, that means translating technical control outputs into language the board can sign off on, documenting exceptions with approved risk acceptance, and defending the methodology under APRA supervision visits. The firms that do this well have a documented control testing schedule, clear ownership of each control family, and a board report that maps findings to CPS 234 paragraphs. Most teams build this ad hoc, under time pressure, each year from scratch.

What you walk away with

  • Map your organisation's control environment to CPS 234 obligations at the paragraph level.
  • Design a control testing schedule that produces attestable evidence, not just activity logs.
  • Document exceptions and risk acceptances in a format that satisfies APRA supervisory review.
  • Produce a board information security report that supports the annual attestation sign-off.
  • Integrate IRAM2 risk linkage so that control gaps connect directly to residual risk statements.
  • Build a repeatable annual attestation cycle your team can run without rebuilding from scratch each year.

The 12 modules

Module 1. CPS 234 Obligations: What the Standard Actually Requires
A paragraph-by-paragraph read of CPS 234 obligations from the perspective of an IT security professional, not a compliance officer. Covers the defined responsibilities of the Board, senior management, and the information security function. Identifies the specific paragraphs that drive attestation requirements versus the paragraphs that drive capability requirements. Includes a one-page obligation map you annotate against your organisation's current structure.
Module 2. Control Taxonomy: Mapping Your Environment to CPS 234 Control Categories
Builds a control taxonomy aligned to CPS 234's capability requirements: preventive, detective, corrective, and recovery. Shows how to cross-map your existing control inventory (whether ISO 27001, NIST CSF, or internal) to the CPS 234 control categories the APRA examiner will reference. Produces a gap-identified control register that becomes the foundation for your testing schedule.
Module 3. Control Testing Design: From Activity to Evidence
The difference between a control that operates and a control that is evidenced. Covers control testing objectives, sampling methodology for IT general controls versus application controls, and the documentation standard that turns test results into attestable evidence. Includes a testing worksheet template for the five highest-weight CPS 234 control families: access management, vulnerability management, incident response, third-party, and backup.
Module 4. Vulnerability Management Attestation: CVSS, Remediation SLAs, and Evidence
Vulnerability management is the control family most APRA supervisors probe first. This module covers how to document your patch SLAs against CPS 234 obligations, how to handle the backlog when SLAs have been missed, and how to structure the evidence package so that risk-accepted exceptions are separated from control failures. Includes a vulnerability attestation template that your board report can reference directly.
Module 5. Third-Party Information Security: CPS 234 Paragraph 36 and Supply Chain Evidence
CPS 234 paragraph 36 requires that APRA-regulated entities maintain oversight of third-party information security. This module covers the third-party risk assessment methodology, how to tier suppliers by criticality, what evidence APRA expects for each tier, and how to handle a supplier who cannot provide satisfactory assurance. Produces a supplier attestation register that feeds directly into your board report.
Module 6. Incident Response and Notification: Linking Control Failures to CPS 234 Obligations
A CPS 234 attestation must account for incidents during the reporting period. This module covers how to document incident response activity as control evidence, how to link incidents to the control families that failed or were tested under stress, and how to notify APRA within the required 72-hour window for material incidents. Includes an incident attestation template that separates operational incidents from material control failures.
Module 7. IRAM2 Integration: Connecting Control Gaps to Residual Risk
IRAM2 (Information Risk Assessment Methodology 2) is the risk assessment approach used by many Australian financial services firms and referenced by APRA guidance. This module shows how to connect your control testing results to IRAM2 residual risk statements so that gaps in your attestation map to quantified risk, not just operational observations. Produces a risk linkage table that makes your exception documentation defensible.
Module 8. Exception Documentation: Risk Acceptance That Satisfies APRA
Every attestation includes exceptions. The question is whether the exception is documented in a way that APRA accepts as a managed risk rather than an uncontrolled gap. This module covers the required elements of a risk acceptance: control owner, residual risk rating, compensating controls, remediation timeline, and board awareness. Includes a risk acceptance template calibrated to APRA's supervisory expectation.
Module 9. Board Information Security Report: Structure, Language, and Sign-Off
The board report is the document the board signs. This module covers the structure that APRA expects to see, the language that translates technical control findings into fiduciary language, and the process for getting the report through the audit committee before it reaches the board. Includes a board report template with annotated sections for attestation statement, control environment summary, incidents, exceptions, and forward risk outlook.
Module 10. APRA Supervisory Visit Preparation: What Examiners Look For
APRA supervisory visits are not audits in the traditional sense. They are a review of whether your risk management and control framework is fit for purpose. This module covers the documents APRA typically requests, the questions examiners ask of IT security professionals specifically, and how to present your control testing evidence in a way that demonstrates capability rather than compliance theatre. Includes a supervisory visit readiness checklist.
Module 11. Building the Annual Attestation Calendar: Repeatable Process, Not Annual Scramble
The firms that handle CPS 234 attestation well treat it as a continuous process with a defined calendar, not a year-end scramble. This module shows how to build a twelve-month attestation calendar that distributes control testing, exception review, and evidence collection across the year. Includes a calendar template with ownership assignments, milestone dates, and integration points with your existing security operations rhythm.
Module 12. The Implementation Playbook: Your Organisation's Attestation Pack
The final module is a structured walkthrough of how to assemble your organisation's complete CPS 234 attestation pack from the templates and evidence collected across modules 1 through 11. Covers the quality review process before submission, the version control approach for the attestation pack, and how to hand off the completed pack to the board secretary. The hand-built implementation playbook delivered with course access is scoped to your specific role and control environment.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1-2 orient your existing control environment to CPS 234 obligations and produce the control register.
Modules 3-7 run the control testing cycle and build the evidence for each major control family including third-party and incident response.
Modules 8-9 convert evidence into board-ready attestation documentation with exception handling.
Modules 10-12 prepare you for APRA supervision, establish a repeatable annual calendar, and assemble the final attestation pack.

What you get with this course

  • Twelve written modules with downloadable templates for each control family
  • Control testing worksheets for access management, vulnerability management, incident response, third-party, and backup
  • Board information security report template with annotated attestation statement
  • Risk acceptance and exception documentation template calibrated to APRA supervisory expectation
  • Annual attestation calendar template with ownership and milestone assignments
  • Hand-built implementation playbook scoped to your role, delivered alongside course access

What you will have in hand by Day 1, Week 1, Month 1

Access provisioned within 24 hours of purchase

Hand-built implementation playbook delivered alongside course access

Self-paced: most professionals complete the course in two to three focused sessions

Before and after

Before

Each attestation cycle is rebuilt from scratch under time pressure. Control evidence is scattered across teams and formats. The board report is a narrative that asserts rather than evidences. Exceptions are underdocumented and the risk acceptance trail is weak.

After

A documented control testing schedule runs across the year. Evidence is collected to a defined standard. Exceptions have approved risk acceptances in the required format. The board report maps findings to CPS 234 paragraphs and the attestation sign-off is defensible under APRA supervision.

What happens if you do not address this

An APRA supervisory visit that finds your attestation is based on assertion rather than documented control testing evidence is a material finding. For IT security professionals, this typically means an urgent remediation programme and increased supervisory intensity. The attestation is also a personal accountability document for the people named in it.

Who it is for

IT security professionals at APRA-regulated entities (banks, insurers, super funds, AFS licensees) who own or contribute to the annual CPS 234 board attestation. Typically working alongside risk and compliance teams, running control testing cycles, writing evidence packs, and presenting findings upward. Often the person who bridges technical control reality and regulatory expectation.

Who this is NOT for. Pure compliance officers who do not work with technical security controls. Teams at non-APRA-regulated entities. Anyone looking for a general ISO 27001 or NIST CSF overview without the APRA-specific attestation context.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Twelve modules of focused reading and template work. Typical completion in two to three sessions of two hours each. The templates are ready to use immediately in your environment.

Why $199 is the right number

APRA publishes guidance but not a control testing methodology or attestation template. External consultants charge $15,000-$40,000 to run a CPS 234 gap assessment. Internal risk and compliance teams typically have compliance framing, not control testing depth. This course gives the IT security professional the methodology and templates to run the attestation cycle independently.

FAQ

Is this course relevant if we are an APRA-regulated insurer or super fund, not a bank?
Yes. CPS 234 applies to all APRA-regulated entities including authorised deposit-taking institutions, general insurers, life companies, and registrable superannuation entity licensees. The attestation obligation and the control testing methodology are the same across entity types.
We already have ISO 27001 certification. Will we find new material here?
ISO 27001 certification shows you have a management system. CPS 234 attestation requires you to evidence that specific controls are operating effectively under APRA's obligation framework. Module 2 covers exactly how to cross-map your ISO 27001 control inventory to CPS 234 categories and where the gaps typically appear.
What happens if a template does not match our internal control naming or tooling?
The templates are designed to be annotated to your environment. The implementation playbook delivered with course access is hand-built for your role and can address specific tooling or naming conventions by reply.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!