Gap assessment for CPS 230 operational resilience and CPS 234 information security. For banks, insurers, and super funds. Big 4 firms charge $50,000+ and take 8 weeks.
Guarantee: Under 3 critical gaps found? You don't pay.
Sound familiar?
APRA is watching
Enforcement actions are increasing. CPS 234 was just the start. APRA expects boards to demonstrate compliance, not just claim it.
CPS 230 goes beyond CPS 234
Operational resilience, service provider registers, business continuity planning. It covers ground your existing security controls don't touch.
Your board needs to sign off
CPS 234 para 36 requires board reporting. CPS 230 adds board accountability for operational risk. An assessment they can't read is an assessment that doesn't count.
Not sure where your gaps are?
Free 3-minute scorecard. Covers controls mapped to CPS 234 and CPS 230.
CPS 230 and CPS 234 reviewed together. One engagement, one report, one person accountable. Written so your board can actually read it.
Included if relevant to your business:
Typical Big 4 engagement
$50,000+
Your price
$6K-$8K
Delivered in 1-2 weeks. Not 6-8.
Under 3 critical gaps found? You don't pay.
Zero risk. I've never had to honour this.
Free scorecard
2 minutes. See where your organisation stands against APRA requirements. No email needed.
Take the scorecardDeep assessment
1-2 weeks, fixed price. I review your controls, policies, and service providers against CPS 230 and CPS 234.
Board-ready report
Evidence-mapped compliance report with prioritised remediation plan. Written for your board, not just your IT team.
ADIs
Banks, credit unions, building societies. CPS 234 obligations are active. CPS 230 deadline is approaching.
General and life insurers
Information security and operational resilience requirements apply across all insurance entities.
Superannuation funds
RSE licensees face the same CPS 230 and CPS 234 obligations as ADIs and insurers.
Non-SFI entities
The July 2026 deadline is yours. SFIs already had to comply. Your window is closing.
I'm a senior software engineer with 10+ years in platform infrastructure. CNCF maintainer. ASD Cyber Security Partner. I do the assessment myself. No juniors, no handoffs, no 200-page report written by a graduate who's never seen production code.
You talk to me, I do the work, I write the report. That's why it costs $6K instead of $50K.
Yes. CPS 234 covers information security. CPS 230 covers operational resilience, which includes business continuity, service provider management, and critical operations mapping. They overlap on some controls but CPS 230 introduces requirements that CPS 234 doesn't touch. Most entities need to address both.
July 1, 2026. APRA designated Significant Financial Institutions had to comply from July 2025. All other APRA-regulated entities (non-SFIs) have until July 1, 2026. That's less than 4 months away.
APRA doesn't require an accredited assessor for CPS 230 or CPS 234 compliance. The standards require entities to have 'systematic testing' and 'adequate assurance' but don't mandate specific certifications for the assessor. What matters is technical competence and independence. I'm not your IT department and I'm not your vendor. That's the independence that matters.
CPS 230 requires you to maintain a register of material service providers and assess their operational resilience. I review your service provider arrangements, identify which providers are material under CPS 230, and assess whether your contractual arrangements meet APRA's expectations. This is often the biggest gap.
Three ways. First, I do the work myself. No juniors, no handoffs. You get a senior engineer with 10+ years experience, not a team where the partner shows up for the pitch and a graduate does the assessment. Second, it costs $6-8K instead of $50K+. Third, it takes 1-2 weeks instead of 6-8. Same rigour, less overhead.
Yes. The assessment identifies gaps and prioritises them. If you need help closing those gaps, I can scope a remediation engagement separately. Most entities start with the assessment and then decide what they want to tackle themselves vs what they need help with.
Start with the free scorecard. Or book a scoping call and I'll walk through what CPS 230 and CPS 234 mean for your organisation.
Taking on 2-3 APRA assessments per month. First in, first served.
