How APRA's operational-risk standard (CPS 230, live 1 July 2025) relates to the information-security standard (CPS 234) — and what each means for your AWS environment.
The short version. CPS 234 is about information security. CPS 230 is about operational resilience. They are now a pair: CPS 230 explicitly leans on CPS 234 for the security half, and an incident reported under CPS 234 doesn't need separate CPS 230 notification. If your CPS 234 controls on AWS are solid, you've already done part of CPS 230.
| CPS 234 — Information Security | CPS 230 — Operational Risk Management | |
|---|---|---|
| In force | 1 July 2019 | 1 July 2025 |
| Focus | Protecting information assets from security incidents and cyber-attacks | Operational resilience — keeping critical operations running through disruption |
| Core obligations | Classify assets; implement controls; test effectiveness; notify APRA of material incidents (72h) | Identify critical operations; set disruption tolerances; manage material service providers; test against severe-but-plausible scenarios |
| AWS implication | IAM, encryption, logging, GuardDuty/Security Hub, Config — controls + exportable evidence | AWS is a material service provider; multi-AZ/region resilience; mapped critical operations; tested failover |
| Key evidence | Config compliance timelines, CloudTrail (validated), Security Hub score, Audit Manager | Service-provider register, architecture/RTO-RPO docs, DR/game-day test results |
| The link | CPS 230 references CPS 234 for information security. One incident notification covers both. Strong CPS 234 controls discharge part of CPS 230's security expectations. | |
The failure mode is identical across both standards: the controls and the resilient architecture exist, but the evidence doesn't. CPS 234 wants the compliance timeline, not a screenshot; CPS 230 wants the test result, not the intention. Build the evidence layer (Config history + Audit Manager + DR test records) before the review, not during it.