Overview of Risk and Security for financial services businesses in Australia and a comparison with ISO 27001
Introduction
Given my extensive experience with ISO 27001 I was interested to learn more about the related information security and risk management obligations for financial services businesses in Australia. Licensed financial service providers and businesses selling software and services to those providers are subject to the oversight of standards created by APRA (Australian Prudential Regulation Authority). The standards themselves are known as CPSs (Cross-industry Prudential Standard) which APRA manages and enforces.
The sorts of busineses that are licensed financial service providers with this oversight are banks, insurers and superannuation providers. Due to the nature of managing supply-chain risk the oversight of APRA has expanded to include businesses providing services to these providers as well but this oversight is indirect and these businesses are only subject to a subset of the obligations.
The CPS standards have a list of requirements which are a mix of principles based guidance (that are open to intepretation on implementation) and more prescriptive requirements. There are potential sanctions for organisations which breach their compliance obligations.
Enforcement
APRA uses a variety of methods to ensure compliance to the CPS which include:
Audits
- Off-site oversight (reviewing documentation such as reports, financial statements, internal audit findings etc.)
- On-site inspection (physically controlled environments)
Prudential Reporting
- Entities are required to submit regular compliance reports
- Provide audit attestations or independent assurance reports
Breach Notifications
- If a regulated entity becomes aware of a material breach of a CPS it is required to notify APRA within a defined period of time
Enforcement Powers
- If an entity fails to comply, APRA can escalate by issuing a directive (e.g. change processes, remove a director, hold additional capital to mitigate excessive risk)
- Impose license conditions
- Pursue civil penalties or court action
Naming and Shaming
- Issuing public statements on compliance issues
Overview
Here is a summary of the relevant APRA standards for risk and information-security and the year from which they became enforceable. You can see that these are relatively new standards that are developing and being rolled out quite quickly.
CPS 220 - Risk Management (2015)
There must be a formal process in place for identifying, assessing, managing and monitoring risks. That includes board level accountability and oversight, and specifics around defining a risk tolerance for the company, the scope of risks to consider, and methods of treating, reporting and revising the risks. Although CPS 220 includes consideration of the supply chain there is no obligation for service providers to provide implement or consider the standard themselves.
CPS 232 - Business Continuity Management (2017)
Financial service providers are typically fulfilling critical services that enable the economy and continuity of that is an important part of the obligations imposed on these businesses. These standards ensure formal and test continuity management processes are in place.
CPS 234 - Information Security (2019)
Information security was increasing become a focus of APRA and CPS 234 was the formalisation of this when it was released. It includes board level accountability along with the various governance and monitoring requirements to ensure information security is effective in the organisation. It also explicitly requires APRA-regulated companies to verify their third-party suppliers.
CPS 230 - Operational Risk Management (2025)
Operational risk management extends the focus areas of CPS 220 and CPS 232 to a more unified approach to managing operational risk. It includes the key requirements of these standards, but expands on the internal controls, and the management and reporting of adverse operational events. It also (like CPS 234) places oversight obligations on service providers
APRA CPS Standards and ISO 27001
There are many significant areas of overlap between the CPS standards and ISO 27001 so complying with both or switching between the standards shouldn’t be too hard. Here is a summary of key similarities and points of difference:
| Key Area | CPS 234 (Information Security) | CPS 230 (Operational Risk) | ISO 27001 (ISMS) |
|---|---|---|---|
| Information Security | ✅ Core focus | ⚠️ As a subset of operational risk | ✅ Core focus |
| Risk Management | ✅ Risk-based controls for information assets | ✅ Core focus | ✅ Risk-based controls for information assets |
| Governance & Accountability | ✅ Board oversight & roles defined | ✅ Board & management responsibility | ✅ Management commitment & roles defined |
| Documentation | ✅ Required | ✅ Required | ✅ Required |
| Incident Management | ✅ Must detect, respond to, and notify APRA | ✅ Incident response and recovery across operations | ✅ Required |
| Third-party Management | ✅ Security controls must extend to service providers | Outsourcing and service provider risk heavily covered | ✅ Required |
| Business Continuity / Resilience | ⚠️ Not covered | ✅ Core focus | ✅ Required |
| Continuous Improvement | ⚠️ Implied through testing and remediation | ✅ Includes testing and lessons learned | ✅ Required |
| Compliance & Assurance | ✅ APRA oversight | Testing and review of resilience frameworks | ✅ Internal management review / audit & external audit and certification |
| Reporting & Notification | ✅ reporting direct to APRA | ✅ reporting direct to APRA | ⚠️ Not covered |