AiOpsOne

CPS 230 vs CPS 234 — Change Summary

How APRA's operational-risk standard (CPS 230, live 1 July 2025) relates to the information-security standard (CPS 234) — and what each means for your AWS environment.

Version 1.0  ·  June 2026  ·  aiopsone.com  ·  YouTube @AiOpsOne

The short version. CPS 234 is about information security. CPS 230 is about operational resilience. They are now a pair: CPS 230 explicitly leans on CPS 234 for the security half, and an incident reported under CPS 234 doesn't need separate CPS 230 notification. If your CPS 234 controls on AWS are solid, you've already done part of CPS 230.

Side by side

 CPS 234 — Information SecurityCPS 230 — Operational Risk Management
In force1 July 20191 July 2025
FocusProtecting information assets from security incidents and cyber-attacksOperational resilience — keeping critical operations running through disruption
Core obligationsClassify assets; implement controls; test effectiveness; notify APRA of material incidents (72h)Identify critical operations; set disruption tolerances; manage material service providers; test against severe-but-plausible scenarios
AWS implicationIAM, encryption, logging, GuardDuty/Security Hub, Config — controls + exportable evidenceAWS is a material service provider; multi-AZ/region resilience; mapped critical operations; tested failover
Key evidenceConfig compliance timelines, CloudTrail (validated), Security Hub score, Audit ManagerService-provider register, architecture/RTO-RPO docs, DR/game-day test results
The linkCPS 230 references CPS 234 for information security. One incident notification covers both. Strong CPS 234 controls discharge part of CPS 230's security expectations.

What changed in 2025

CPS 230 consolidated the old business-continuity (CPS 232) and outsourcing standards into one operational-resilience framework, effective 1 July 2025. For most regulated entities it didn't create new security work so much as new documentation and testing work: map critical operations to AWS resources, write down disruption tolerances, register AWS as a material provider, and actually test failover.

Where teams get caught

The failure mode is identical across both standards: the controls and the resilient architecture exist, but the evidence doesn't. CPS 234 wants the compliance timeline, not a screenshot; CPS 230 wants the test result, not the intention. Build the evidence layer (Config history + Audit Manager + DR test records) before the review, not during it.