CPS 234 for IAM Teams: What APRA Actually Wants to See

If you run identity at an APRA-regulated entity — a bank, insurer, or super fund — CPS 234 is the standard that will define half your roadmap whether you planned for it or not. It is deliberately principles-based, which is generous language for "you must work out the specifics." Having sat on both sides of these assessments, here is where the identity weight actually falls.

"Information assets" includes your identity infrastructure

CPS 234 requires you to classify information assets by criticality and sensitivity. Identity teams often scope this to business data and forget that the IAM platform, directory, and PAM vault are themselves crown-jewel assets. A compromise of the thing that grants access is categorically worse than a compromise of any single system it protects. Classify them accordingly, and the control expectations that follow — monitoring, testing, access restriction — become self-evident.

Control implementation, sized to threat

The standard expects controls "commensurate with" the threat and the criticality of the asset. For identity that means a defensible, documented rationale for:

• Access provisioning and de-provisioning tied to an authoritative source — the JML discipline an assessor will test by sampling recent leavers.
• Privileged access under PAM with vaulting, session recording, and just-in-time elevation for anything that touches a critical asset.
• Strong authentication — MFA that is phishing-resistant where the risk justifies it, not blanket SMS OTP you adopted in 2018.
• Segregation of duties with detective controls that catch toxic combinations, evidenced over time.

The bit everyone underestimates: testing

CPS 234 requires you to test the effectiveness of controls through a systematic programme, with the frequency driven by the rate of change. Identity environments change constantly — new joiners, new apps, new entitlements daily — so your testing cadence has to reflect that. Annual is not "systematic" for a system that mutates every hour. I run continuous access reconciliation as the always-on test, and layer periodic targeted reviews (privileged access, SoD, dormant accounts) on top.

Third parties are in scope, and they are your weakest link

CPS 234 explicitly extends to information assets managed by related parties and third parties. For identity, that is your SaaS providers, your managed service partners, and anyone with federated or delegated access. You need assurance that their controls meet the bar — and, critically, that you can revoke their access decisively if the relationship ends or an incident occurs. A federation trust you cannot break in an hour is a control gap.

Notification: know your 72 hours

Material incidents must be notified to APRA within 72 hours. For identity teams the practical implication is detection and forensics readiness: if a privileged account is misused, can you establish scope — what it accessed, what it changed — fast enough to make a defensible notification call? That is an argument for identity logging that is centralised, immutable, and actually queryable, not scattered across a dozen app logs.

CPS 234 rewards the unglamorous work: authoritative sourcing, ruthless de-provisioning, privileged access under control, and evidence that the controls are tested as fast as the environment changes. Do that, and the assessment becomes a walk-through of work you already did — which is exactly the position you want to be in.