APRA CPS 234
APRA's Prudential Standard CPS 234 (Information Security) is the mandatory information-security baseline for Australian banks, insurers, and superannuation funds. Manage365 maps its requirements to the M365 controls that matter and produces per-scan evidence an APRA auditor will accept.
Coverage
| CPS 234 requirement | M365 control |
|---|---|
| §15 — Information assets classification | Sensitivity label coverage via Information Protection + DLP policy inventory. |
| §17 — Authentication strength | MFA enforcement via Conditional Access; authentication-method inventory; PIM coverage for admin roles. |
| §19–20 — Access rights review | Stale account report (no sign-in > 90d), privileged-account inventory, JIT grant history. |
| §21 — Event logging & monitoring | Unified audit log retention, Defender alert pipeline, sign-in risk monitoring. |
| §22 — Incident response capability | NDB workflow, compromise remediation playbook, incident-to-PSA ticket flow. |
| §23 — Testing | Weekly auto-scan history; Secure Score trend; Essential Eight Maturity Level movement. |
| §27 — Notification to APRA within 72 hours | NDB assessment + notification deadline tracker. |
Scan results
Same shape as Essential Eight: per-control compliant / partial / non_compliant / not_assessed with findings and remediation. Overall score is the mean of assessed controls.
Evidence bundle
Auditor-ready ZIP (see Evidence export) contains:
- Latest CPS 234 scan per tenant with raw JSON evidence blobs
- 90-day audit log with SHA-256 chain (tamper-evident)
- Conditional Access policy snapshot at export time
- Signed attestation page with MSP name + ABN + export timestamp
What this isn't
CPS 234 goes well beyond identity and data — it covers BCP, vendor risk, board-level oversight, penetration testing schedules. Manage365 covers the technical control andevidence side. The governance pieces (policy docs, board paper templates, vendor risk registers) belong in your GRC tooling.