If you are a material service provider with ISO 27001 certification serving APRA-regulated clients, you have a head start on CPS 234 compliance. But a head start is not the finish line. The question every MSP needs to answer clearly is: which CPS 234 requirements does my ISO 27001 certification already cover, and where are the gaps?
This article provides the detailed controls mapping that answers that question. We map each CPS 234 obligation area to the specific ISO 27001:2022 Annex A controls that address it, assess the coverage level, and explain what the mapping means in practice for service providers delivering to the Australian financial services sector.
No competitor has published this mapping in detail. Most guidance stops at "ISO 27001 covers a lot of CPS 234" without showing you exactly what covers what, and more importantly, what does not. That ambiguity costs MSPs time and creates risk. This resource eliminates it.
How to use this mapping: Work through each CPS 234 obligation area. For each one, check which ISO 27001 controls you already have in place. Where coverage is full, document the mapping in your evidence pack. Where coverage is partial or a gap, that is your remediation scope. The mapping table becomes your CPS 234 gap assessment baseline.
Understanding the Two Frameworks
Before diving into the mapping, it helps to understand what each framework is trying to achieve and how they differ structurally.
CPS 234 is APRA's prudential standard for information security, effective since 1 July 2019. It applies directly to APRA-regulated entities (banks, insurers, superannuation trustees) and indirectly to their material service providers through contractual flow-down. CPS 234 is prescriptive about outcomes: what the regulated entity must achieve in terms of security capability, policy, asset management, controls, incident management, testing, and notification. It is relatively short - approximately 36 paragraphs - but each paragraph carries significant regulatory weight.
ISO 27001:2022 is the international standard for information security management systems (ISMS). It is a management system standard - it defines how an organisation should establish, implement, maintain, and continually improve its information security. Annex A contains 93 reference controls across four domains: organisational, people, physical, and technological. ISO 27001 is certifiable by accredited bodies and is globally recognised.
The structural difference matters. CPS 234 tells you what to achieve. ISO 27001 tells you how to manage achieving it. They are complementary, not competing. An MSP with ISO 27001 has the management system infrastructure that CPS 234 assumes exists - the question is whether the ISMS scope and controls cover the specific APRA requirements.
The Complete Controls Mapping
The following table maps each CPS 234 obligation area to the relevant ISO 27001:2022 Annex A controls and ISMS clauses. Coverage is assessed as:
- Full - ISO 27001 controls fully address the CPS 234 requirement
- Partial - ISO 27001 provides a foundation but CPS 234 adds APRA-specific requirements
- Gap - no ISO 27001 equivalent; requires APRA-specific processes
1. Roles and Responsibilities
CPS 234 paragraphs 13-16 require the board to define clear roles and responsibilities for information security, including the board itself, senior management, and governing bodies. The board must ensure the entity maintains information security in a manner commensurate with the size and extent of threats.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| Board-defined roles and responsibilities | A.5.2 (Information security roles and responsibilities), Clause 5.1 (Leadership and commitment) | Partial | ISO 27001 requires top management commitment and defined roles but does not prescribe board-level accountability to the specificity APRA expects. CPS 234 requires the board to approve the policy framework and receive reporting on material security matters. |
| Senior management oversight | A.5.4 (Management responsibilities), Clause 5.3 (Organizational roles) | Full | ISO 27001 clause 5.3 and A.5.4 require management to ensure policies are followed and resources allocated. This aligns well with CPS 234's senior management oversight requirement. |
| Governing body security capability | A.6.3 (Information security awareness, education and training) | Partial | ISO 27001 covers security awareness broadly. CPS 234 specifically requires that governing bodies have sufficient knowledge to understand and oversee information security risk. MSPs should document board or executive security competency. |
What this means for MSPs: If you have ISO 27001, you have documented roles and management commitment. To satisfy CPS 234, ensure your governance documentation explicitly addresses board-level (or executive-level, for MSPs without a formal board) accountability for information security, including approval of the security policy and regular security reporting to leadership.
2. Information Security Capability
CPS 234 paragraphs 17-18 require the entity to maintain information security capability commensurate with the size and extent of threats to its information assets. This includes the capability of the entity and any third parties managing information assets on its behalf.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| Commensurate security capability | Clause 7.1 (Resources), Clause 7.2 (Competence), A.5.2 | Full | ISO 27001 requires the organisation to determine and provide resources needed for the ISMS and ensure personnel are competent. This directly addresses capability requirements. |
| Personnel screening and competence | A.6.1 (Screening), A.6.2 (Terms and conditions of employment), A.6.3 (Awareness, education and training) | Full | ISO 27001 covers pre-employment screening, contractual security obligations, and ongoing security training comprehensively. Well-mapped to CPS 234 capability requirements. |
| Third-party security capability assessment | A.5.19 (Information security in supplier relationships), A.5.20 (Addressing information security within supplier agreements) | Partial | ISO 27001 requires assessment of supplier security. CPS 234 paragraph 23 specifically requires the assessment to be commensurate with the potential consequences of an information security incident. APRA expects a proportionality analysis, not just a generic vendor assessment. |
What this means for MSPs: Your ISO 27001 ISMS demonstrates structured security capability. The gap to address is ensuring your capability assessment of subcontractors explicitly considers the sensitivity of regulated client data and is proportionate to the risk - not a one-size-fits-all vendor questionnaire.
3. Information Security Policy Framework
CPS 234 paragraphs 19-20 require a policy framework commensurate with the entity's exposures to vulnerabilities and threats. Policies must be reviewed at least annually or when material changes occur.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| Documented policy framework | A.5.1 (Policies for information security), Clause 5.2 (Policy) | Full | ISO 27001 requires a documented information security policy approved by top management, supported by topic-specific policies. This is a core ISMS requirement. |
| Annual policy review | Clause 10.1 (Continual improvement), A.5.1 | Full | ISO 27001 requires policies to be reviewed at planned intervals or when significant changes occur. Aligns directly with CPS 234's annual review requirement. |
| Commensurate with exposures | Clause 6.1 (Actions to address risks and opportunities) | Full | ISO 27001's risk-based approach ensures the ISMS (including policies) is proportionate to the organisation's risk profile. This satisfies CPS 234's proportionality requirement. |
What this means for MSPs: This is one of the strongest alignment areas. If your ISO 27001 policy framework is current and reviewed annually, you satisfy CPS 234's policy requirements. Ensure your policies explicitly reference the services you deliver to regulated clients and the information assets in scope.
4. Information Asset Identification and Classification
CPS 234 paragraphs 21-22 require identification and classification of information assets by criticality and sensitivity, including those managed by third parties. Classification must reflect the degree to which an information security incident could affect the entity or its customers.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| Information asset identification | A.5.9 (Inventory of information and other associated assets) | Full | ISO 27001 requires an inventory of information assets with identified owners. Directly satisfies CPS 234's identification requirement. |
| Classification by criticality and sensitivity | A.5.12 (Classification of information), A.5.13 (Labelling of information) | Full | ISO 27001 requires a classification scheme based on confidentiality, integrity, and availability requirements. Well-aligned with CPS 234's criticality and sensitivity classification. |
| Third-party managed assets included | A.5.9, A.5.19, A.5.21 (Managing information security in the ICT supply chain) | Partial | ISO 27001 covers asset inventory and supplier management but CPS 234 specifically requires that the classification includes assets managed by third parties. MSPs must ensure their asset register includes all regulated client data they hold, process, or access, including through subcontractors. |
| Acceptable use of assets | A.5.10 (Acceptable use of information and other associated assets) | Full | ISO 27001 requires acceptable use rules to be identified, documented, and implemented. Supports CPS 234 asset management requirements. |
What this means for MSPs: Your ISO 27001 asset register and classification scheme provide strong coverage. The practical action is ensuring your register explicitly identifies regulated client data, classifies it according to the client's sensitivity requirements, and maps where that data flows through your subcontractors and cloud providers.
5. Implementation of Controls
CPS 234 paragraphs 23-25 require implementation of controls to protect information assets commensurate with their criticality and sensitivity, and to undertake systematic assessment of third-party information security capability.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| Controls commensurate with asset criticality | A.5.15 (Access control), A.5.16 (Identity management), A.5.17 (Authentication information), A.5.18 (Access rights) | Full | ISO 27001's access control family provides comprehensive control implementation aligned to asset classification. Combined with the risk-based approach, this satisfies CPS 234's proportionality requirement for control implementation. |
| Technology controls | A.8.1 (User endpoint devices), A.8.5 (Secure authentication), A.8.9 (Configuration management), A.8.15 (Logging), A.8.16 (Monitoring activities), A.8.20 (Networks security), A.8.24 (Use of cryptography) | Full | ISO 27001:2022 Annex A has extensive technological controls covering endpoints, authentication, configuration, logging, monitoring, network security, and encryption. Strong alignment with CPS 234's control implementation expectations. |
| Third-party control assessment | A.5.19, A.5.20, A.5.21 (ICT supply chain), A.5.22 (Monitoring of supplier services) | Partial | ISO 27001 covers supplier security management comprehensively. CPS 234 adds the requirement that assessment is commensurate with the potential consequences of an incident - not just a contractual obligation but an active, proportionate assessment. APRA expects evidence of ongoing oversight, not just initial due diligence. |
| Cloud security | A.5.23 (Information security for use of cloud services) | Full | ISO 27001:2022 added A.5.23 specifically for cloud services, covering acquisition, use, management, and exit from cloud services. Directly relevant for MSPs using cloud infrastructure to deliver regulated client services. |
What this means for MSPs: ISO 27001 provides strong control implementation coverage. The gap to address is ensuring your third-party assessments are not generic vendor reviews but proportionate evaluations that consider the specific sensitivity of regulated client data processed by each subcontractor. Document the proportionality rationale.
6. Incident Management
CPS 234 paragraphs 26-28 require mechanisms to detect and respond to information security incidents in a timely manner, and to notify APRA of material incidents. This is where the most significant gap between ISO 27001 and CPS 234 emerges.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| Incident detection and response mechanisms | A.5.24 (Incident management planning and preparation), A.5.25 (Assessment and decision on events), A.5.26 (Response to incidents) | Full | ISO 27001 incident management controls cover the full lifecycle: planning, detection, assessment, response. Strong foundation for CPS 234 incident management requirements. |
| Incident escalation and reporting | A.6.8 (Information security event reporting), A.5.27 (Learning from incidents) | Partial | ISO 27001 requires event reporting and learning processes. CPS 234 adds specific timeline requirements and the expectation that your notification to the regulated client is fast enough for them to assess their own APRA reporting obligation within 72 hours. |
| Evidence collection and preservation | A.5.28 (Collection of evidence) | Full | ISO 27001:2022 explicitly includes evidence collection as a control. Supports forensic and regulatory requirements under CPS 234. |
| APRA notification within 72 hours | No equivalent | Gap | ISO 27001 has no concept of regulatory notification to APRA. This is an APRA-specific obligation. MSPs must build a notification workflow that gives their regulated client enough time to assess and report within APRA's 72-hour window. Practically, initial MSP notification should occur within hours. |
| Notification of control weaknesses | No equivalent | Gap | CPS 234 paragraph 36 requires notification to APRA within 10 business days if the entity becomes aware it will not be able to remediate a material information security control weakness in a timely manner. No ISO 27001 equivalent - requires an APRA-specific escalation process. |
The notification gap is critical. Even with a mature ISO 27001 incident management process, you need an APRA-specific notification layer. Build financial services-specific playbooks with defined notification timelines - 24 hours for initial client notification on material incidents, structured follow-up at defined intervals, and incident classification criteria aligned to APRA's materiality threshold.
What this means for MSPs: Your ISO 27001 incident management process is a solid foundation. Layer on top: APRA-aligned incident classification criteria, client notification workflows with defined timelines, and a process for flagging unremediated control weaknesses. These additions are process-level, not technology-level - they are achievable in weeks, not months.
7. Testing Control Effectiveness
CPS 234 paragraphs 29-32 require systematic testing of information security controls through a testing program. Testing frequency must be commensurate with the rate of change in vulnerabilities and threats, the criticality of assets, the consequences of an incident, and the risks of environments not subject to the entity's policies.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| Systematic control testing program | A.5.35 (Independent review of information security), A.5.36 (Compliance with policies, rules and standards) | Partial | ISO 27001 requires independent review and compliance verification. CPS 234 is more prescriptive about testing frequency being risk-driven rather than calendar-driven. Annual testing may not satisfy CPS 234 if the threat landscape has changed materially. |
| Vulnerability management | A.8.8 (Management of technical vulnerabilities) | Full | ISO 27001 requires identification, evaluation, and remediation of technical vulnerabilities. Well-aligned with CPS 234's testing expectations. Supplement with defined scanning cadence (quarterly minimum for regulated client environments). |
| Penetration testing | A.8.8, A.5.35 | Partial | ISO 27001 does not explicitly require penetration testing but A.8.8 and A.5.35 together support it. CPS 234 expects penetration testing as part of the testing program for environments managing regulated client data. Annual independent penetration testing is the baseline expectation. |
| Testing third-party controls | A.5.22 (Monitoring, review and change management of supplier services) | Partial | ISO 27001 requires monitoring and review of supplier services. CPS 234 extends this to include testing of controls operated by third parties. For MSPs, this means you should be able to demonstrate that your subcontractors' controls are tested, not just reviewed contractually. |
What this means for MSPs: Your ISO 27001 audit and vulnerability management processes cover the structure. The CPS 234 enhancement is frequency and depth: quarterly vulnerability scanning, annual independent penetration testing, and risk-driven testing cadence rather than fixed calendar intervals. Document your rationale for testing frequency based on threat and asset sensitivity.
8. Internal Audit
CPS 234 paragraph 33 requires the internal audit function to review the design and operating effectiveness of information security controls, including those maintained by third parties.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| Internal audit of information security | Clause 9.2 (Internal audit) | Full | ISO 27001 clause 9.2 requires internal audit at planned intervals to verify the ISMS conforms to requirements and is effectively implemented. Directly satisfies CPS 234's internal audit requirement. |
| Audit of third-party controls | A.5.22, A.5.35 | Partial | ISO 27001 supports supplier monitoring and independent review. CPS 234 expects the internal audit scope to include controls maintained by third parties. For MSPs, ensure your audit program includes assessment of subcontractor control effectiveness, not just your own environment. |
| Management review of audit findings | Clause 9.3 (Management review) | Full | ISO 27001 requires management review of audit results, including the status of actions from previous reviews. Aligns with CPS 234's governance expectations. |
What this means for MSPs: Your ISO 27001 internal audit program is well-aligned. The action item is ensuring your audit scope explicitly includes assessment of subcontractor controls protecting regulated client data, and that audit findings are escalated through your governance structure.
9. APRA Notification
CPS 234 paragraphs 34-36 require notification to APRA within 72 hours of becoming aware of a material information security incident, and within 10 business days if unable to remediate a material control weakness in a timely manner.
| CPS 234 Requirement | ISO 27001 Controls | Coverage | Commentary |
|---|---|---|---|
| 72-hour APRA incident notification | No equivalent | Gap | ISO 27001 has no concept of regulatory notification to APRA. The obligation sits with the regulated entity, but MSPs must enable it by notifying their client fast enough for the client to assess and report. Build APRA-specific notification workflows with defined timelines. |
| 10-day control weakness notification | No equivalent | Gap | No ISO 27001 equivalent. If you identify a material control weakness that cannot be remediated promptly, your regulated client needs to know so they can assess APRA notification. Build an escalation process for significant control deficiencies. |
| APRA audit and access rights | No equivalent | Gap | CPS 230 requires contracts with MSPs to include provisions for APRA to conduct direct examinations. No ISO 27001 equivalent. Update contract terms to accommodate APRA access and build an audit facilitation process. |
What this means for MSPs: This is the area where ISO 27001 provides no coverage. APRA notification, control weakness escalation, and APRA audit access are purely regulatory requirements that must be built as additional processes. The good news: these are well-defined process additions, not complex technology implementations.
What ISO 27001 Gives You Towards CPS 234
If you hold an active ISO 27001 certification with a scope that covers the services you deliver to regulated clients, you already have substantial CPS 234 coverage. Here is the summary:
Areas Where ISO 27001 Fully Satisfies CPS 234
- Information security policy framework - documented, risk-based, annually reviewed. CPS 234 paragraphs 19-20 covered by A.5.1 and Clause 5.2.
- Information asset identification and classification - asset register, classification scheme, acceptable use. CPS 234 paragraphs 21-22 covered by A.5.9, A.5.12, A.5.13.
- Information security capability - resources, competence, screening, training. CPS 234 paragraphs 17-18 covered by Clause 7.1, 7.2, A.6.1, A.6.2, A.6.3.
- Control implementation - access controls, technology controls, encryption, monitoring. CPS 234 paragraphs 23-25 covered by A.5.15-A.5.18, A.8.x controls.
- Incident detection and response - incident management lifecycle, evidence collection. CPS 234 paragraphs 26-28 covered by A.5.24-A.5.28.
- Internal audit - planned audit program, management review. CPS 234 paragraph 33 covered by Clause 9.2, 9.3.
- Business continuity - BCP, ICT readiness, recovery capability. Supports CPS 230 contractual requirements via A.5.29, A.5.30.
Areas Where ISO 27001 Provides Partial Coverage
- Board-level governance - ISO 27001 requires top management commitment but CPS 234 prescribes board-level accountability for approving policy, receiving security reporting, and ensuring adequate capability. Extend your governance documentation.
- Third-party assessment proportionality - ISO 27001 covers supplier management but CPS 234 requires assessment to be commensurate with the potential consequences of an incident. Add proportionality criteria to your vendor assessment process.
- Control testing frequency - ISO 27001 supports planned testing and review. CPS 234 requires testing frequency to be risk-driven and commensurate with the threat environment. Document your risk-based testing cadence rationale.
- Incident notification timelines - ISO 27001 covers incident management and event reporting. CPS 234 adds specific timeline expectations that enable the regulated client to meet APRA's 72-hour reporting window.
CPS 234 Gaps - No ISO 27001 Equivalent
- APRA incident notification (72 hours) - build a financial services-specific notification workflow with defined timelines for initial and follow-up client notification.
- Control weakness notification (10 business days) - build an escalation process for material control deficiencies that cannot be remediated promptly.
- APRA audit and access rights - update contract terms to accommodate direct APRA examination and build an audit facilitation process.
- APRA-specific board accountability - document board/executive-level approval of the security policy framework and regular security reporting cadence.
Closing the Gaps: A Practical Approach for ISO 27001-Certified MSPs
If you already have ISO 27001 certification, CPS 234 alignment is not a rebuild - it is a focused extension. Here is the recommended approach:
Step 1: Map your Statement of Applicability to CPS 234 (Week 1-2)
Use the mapping table in this article as your starting point. Walk through each CPS 234 obligation area and identify which controls in your Statement of Applicability already address it. Document full coverage, partial coverage, and gaps. This produces your CPS 234 gap assessment without duplicating work you have already done.
Step 2: Build APRA-specific notification processes (Week 2-3)
This is the highest-priority gap. Create an incident classification scheme aligned to APRA's materiality threshold. Build a notification workflow: who notifies the regulated client, what information is included, and what the target notification timeline is (aim for initial notification within 24 hours for material incidents). Create a separate escalation process for material control weaknesses that cannot be remediated in a timely manner.
Step 3: Enhance governance documentation (Week 3-4)
Update your governance framework to explicitly address: board or executive-level approval of the information security policy, regular security reporting to leadership (quarterly minimum), and documented security competency at the governance level. If you are an MSP without a formal board, translate these to your executive leadership team.
Step 4: Update third-party assessment and contract terms (Week 3-5)
Add proportionality criteria to your vendor assessment process - the assessment depth should reflect the sensitivity of regulated client data the vendor handles. Update your standard contract terms to accommodate audit rights for regulated clients and for APRA. Ensure subcontracts include back-to-back provisions.
Step 5: Document and package (Week 5-6)
Package your CPS 234 alignment evidence: the ISO 27001 certificate, the SoA-to-CPS-234 mapping, APRA-specific processes, updated governance documentation, and your control testing schedule. This becomes your client-ready CPS 234 evidence pack for due diligence requests.
Timeline: For an MSP with active ISO 27001 certification and a well-maintained ISMS, CPS 234 alignment typically takes 4-6 weeks. Compare this to 12-16 weeks for an MSP starting from scratch. Your ISO 27001 investment accelerates the process significantly.
The Competitive Advantage
MSPs that can present a clear CPS 234-to-ISO-27001 mapping to their regulated clients demonstrate something that most competitors cannot: they have done the analysis, they understand exactly where they stand, and they can articulate their compliance position with specificity.
In contract renegotiations ahead of the 1 July 2026 CPS 230 deadline, that clarity is a differentiator. Regulated entities are reviewing their entire MSP portfolio. The MSP that arrives with a structured mapping, documented gap assessment, and a remediation plan is the one that retains the contract - and potentially wins business from competitors who cannot demonstrate the same level of rigour.
If you have ISO 27001, you have already made the investment in information security management. The CPS 234 mapping exercise turns that investment into a financial services-specific competitive advantage.
How Logic Weave Helps
Logic Weave works with ISO 27001-certified MSPs to complete the CPS 234 alignment in 4-6 weeks. Our engagement includes: SoA-to-CPS-234 mapping with gap assessment, APRA notification process development, governance documentation enhancement, third-party assessment framework update, and a packaged evidence set ready for client due diligence.
If you are an MSP with ISO 27001 and need to demonstrate CPS 234 alignment for your regulated clients before 1 July 2026, the foundation is already in place. The question is whether the gaps are documented, addressed, and evidenced.
You can review our dedicated CPS 234 compliance services page for engagement details, or book a 30-minute call to discuss your current position.
Frequently Asked Questions
Does ISO 27001 certification satisfy CPS 234 requirements for service providers?
ISO 27001 covers approximately 70-80% of CPS 234 requirements across information security capability, policy framework, asset management, access controls, incident management, and control testing. However, it does not address APRA-specific obligations including the 72-hour APRA notification requirement, direct APRA audit and access rights, board-level accountability as defined by APRA, and specific third-party assessment requirements under CPS 234 paragraph 23. ISO 27001 is a strong foundation but not a complete substitute for CPS 234 alignment.
Which CPS 234 requirements have no ISO 27001 equivalent?
Three CPS 234 requirements have no direct ISO 27001 equivalent: (1) APRA notification - the obligation to notify APRA within 72 hours of a material information security incident and within 10 business days if unable to remediate control weaknesses in a timely manner; (2) APRA audit and access rights - the contractual requirement to allow APRA to conduct direct examinations of service provider environments; and (3) APRA-specific board accountability - the requirement for the board to define information security roles, approve the policy framework, and receive regular reporting on material security matters. These require APRA-specific processes layered on top of the ISMS.
What is the best approach to mapping ISO 27001 controls to CPS 234 for an MSP?
Start with the eight CPS 234 obligation areas: roles and responsibilities, information security capability, policy framework, information asset identification and classification, implementation of controls, incident management, testing control effectiveness, and internal audit. For each area, identify which ISO 27001 Annex A controls and ISMS clauses already address the requirement, then document the coverage level as full, partial, or gap. Focus on the gaps - these are the APRA-specific items that need additional processes. The mapping exercise typically takes 2-4 weeks and produces the gap assessment that drives your remediation roadmap.
How do CPS 234 third-party requirements compare to ISO 27001 supplier controls?
ISO 27001 Annex A controls A.5.19 through A.5.22 cover supplier information security management comprehensively - policies, contractual requirements, ICT supply chain management, and ongoing monitoring. CPS 234 paragraph 23 requires specific assessment of whether third-party security measures are commensurate with the potential consequences of an information security incident. The key difference is APRA's expectation that the assessment is proportionate and ongoing, and that the regulated entity can demonstrate active oversight rather than just contractual clauses. For MSPs, this means your ISO 27001 supplier management controls need to be extended with APRA-specific assessment criteria and more frequent review cycles for subcontractors handling regulated client data.
Does ISO 27001 incident management satisfy CPS 234 incident notification requirements?
Partially. ISO 27001 Annex A controls A.5.24 through A.5.28 and A.6.8 cover incident management planning, event assessment, response, evidence collection, and reporting. These create a strong incident management foundation. However, CPS 234 adds specific requirements that ISO 27001 does not address: notification to APRA within 72 hours of becoming aware of a material incident, notification timelines fast enough for your regulated client to meet their own APRA reporting obligation, and classification criteria aligned to APRA's materiality threshold. MSPs need to layer financial services-specific notification workflows on top of their ISO 27001 incident management process.
Can an MSP use their ISO 27001 Statement of Applicability as a CPS 234 evidence document?
Yes - the Statement of Applicability (SoA) is an excellent starting point for CPS 234 evidence. It documents which controls are implemented and how, which directly supports the control evidence requirements of CPS 234. Map each CPS 234 obligation to the relevant SoA entries, then document any CPS 234 requirements not addressed in the SoA. The SoA combined with your internal audit reports, penetration test results, and risk treatment plan covers the majority of what a regulated client will request during due diligence. Add APRA-specific processes for notification, audit access, and board reporting to complete the picture.
How long does CPS 234 alignment take if an MSP already has ISO 27001?
For an MSP with an active ISO 27001 certification and a well-maintained ISMS, CPS 234 alignment typically takes 4-6 weeks rather than the standard 12-16 weeks. The gap assessment is faster because most controls already exist - you are identifying APRA-specific gaps rather than building from scratch. The main work involves building APRA notification processes, updating incident classification criteria, ensuring third-party assessment meets APRA's proportionality standard, and preparing for APRA audit and access rights. If your ISO 27001 scope already covers the services you deliver to regulated clients, the alignment is primarily process extension rather than new control implementation.
What ISO 27001 controls are most important for CPS 234 alignment?
The highest-impact ISO 27001 controls for CPS 234 alignment are: A.5.1 (information security policies) as the policy framework foundation; A.5.9 and A.5.12 (asset inventory and classification) for information asset management; A.5.15 through A.5.18 (access control) for implementation of controls; A.5.19 through A.5.22 (supplier relationships) for third-party management; A.5.24 through A.5.28 (incident management) as the base for APRA notification processes; A.5.35 and A.5.36 (independent review and compliance) for control testing; and A.5.29 and A.5.30 (business continuity) for operational resilience. These controls provide the structural backbone that CPS 234 requires.
Should an MSP pursue ISO 27001 or CPS 234 alignment first?
If you do not have either, pursue ISO 27001 first. It builds the comprehensive information security management system that CPS 234 assumes you have - policy framework, risk management, asset classification, access controls, incident management, and internal audit. CPS 234 alignment then becomes a focused extension adding APRA-specific processes on top of a working ISMS. Starting with CPS 234 alone risks building point solutions without the management system that sustains them. If you already have ISO 27001, move directly to CPS 234 gap assessment - the foundation is in place and alignment is a matter of weeks, not months.
How does the CPS 234 testing requirement compare to ISO 27001 internal audit?
CPS 234 paragraphs 29-32 require systematic testing of information security controls commensurate with the rate of change in vulnerabilities and threats, the criticality and sensitivity of information assets, the consequences of an incident, and the risks associated with exposure to environments not subject to the entity's policies. ISO 27001 clause 9.2 requires internal audit and Annex A controls A.5.35 and A.5.36 cover independent review and compliance verification. The key difference is CPS 234's emphasis on testing frequency being driven by risk and threat environment rather than a fixed annual cycle. For MSPs, this means your ISO 27001 audit program may need to be supplemented with more frequent testing of controls protecting regulated client data - quarterly vulnerability scanning and annual penetration testing are typical expectations.