Cybereen / Standards / APRA CPS 230
APRA · CPS 230 · OPERATIONAL RISK

APRA CPS 230, operational resilience as ongoing control work.

One standard pulls together operational risk, business continuity, and service-provider management. Cybereen runs it as living control work — critical operations mapped, tolerances tracked, the provider register current — not a once-a-year scramble.

Map your critical operations → See the three obligations
At a glance → Owner · APRA (Australia) In force · 1 July 2025 Scope · Banks, insurers, RSE licensees Replaces · CPS 231 + CPS 232 Cybereen status · Live coverage
WHAT IT IS

One standard, three obligations.

CPS 230 is APRA's operational risk standard. It requires regulated entities to manage operational risk, maintain critical operations within board-set tolerances, and manage the service providers those operations depend on.

It consolidates the old outsourcing and business-continuity standards (CPS 231 and CPS 232) into one, and raises the bar: you must identify your critical operations, set tolerance levels for the maximum disruption you can absorb, and prove — through scenario testing — that you can stay inside them.

The service-provider piece reaches further than old outsourcing rules: a register of material service providers, managed arrangements, and visibility of fourth parties your providers rely on. The board carries accountability throughout.

The honest version: The hard part isn't writing the policy — it's keeping the service-provider register and tolerance levels current as your business changes, and actually testing them. That's the living control work Cybereen runs for you.
THE OPERATING RHYTHM

Identify · Set · Test · Report. On a continuous clock.

CPS 230 isn't an annual document — it's a cycle. Cybereen schedules each step, assigns the owner, and keeps the evidence the board and APRA expect.

IDENTIFY

Critical operations.

Map the operations that, if disrupted, would materially affect customers or financial stability — and the processes, people, and providers behind each.

  • Critical operations list
  • Dependency mapping
  • Process → provider links
SET

Tolerance levels.

Define the maximum level of disruption the board will tolerate for each critical operation — time, data loss, and minimum service.

  • Tolerance per operation
  • Board-approved
  • Reviewed as you change
TEST

Scenario & continuity.

Run business continuity and scenario tests against the tolerances. Prove you can stay inside them — and capture where you couldn't.

  • BCP + scenario tests
  • Results vs tolerance
  • Remediation tracked
REPORT

Board & incidents.

Report operational risk to the board, notify APRA of material incidents, and feed lessons back into controls and tolerances.

  • Board reporting pack
  • Incident notification
  • Lessons → controls
WHAT IT COVERS

Three obligations. One register of evidence.

CPS 230 bundles three bodies of work that used to live apart. Cybereen runs them on one platform so the evidence reinforces, rather than duplicates.

1
Operational risk management

Identify, assess, and manage operational risk; maintain effective controls; manage operational risk incidents end to end.

Risk + controls Incident log
2
Business continuity

Critical operations, tolerance levels, a business continuity plan, and scenario testing that proves you can stay within tolerance.

BCP + tolerances Test results
3
Service provider management

A register of material service providers, managed arrangements, monitoring, and visibility of the fourth parties they depend on.

Provider register 4th-party view
4
Board accountability

The board owns operational risk management — approving tolerances, overseeing critical operations, and holding management to account.

Board pack Decisions logged
Policy — template + approval workflow Evidence — tests, incidents, provider reviews, dated Reuses your CPS 234 + ISO control evidence
INSIDE CYBEREEN

Critical operations and providers. In one live view.

Your critical operations, their tolerances, the providers they depend on, and the test evidence that proves resilience — current, not reconstructed the week before a board meeting.

  • Critical operations register — each mapped to its processes, providers, and tolerance.
  • Service-provider register — material providers, arrangements, and fourth-party exposure.
  • Tolerance tracking — set, board-approved, and tested against scenario results.
  • Incident management — operational incidents logged, with APRA notification timelines.
  • Evidence reuse — your CPS 234 and ISO controls pre-fill the overlap.
app.cybereen.com / standards / cps-230 / operations
LIVE
Cybereen CPS 230 — critical operations and operational-risk register with tolerances, service providers, and test evidence
COMMON MISTAKES

Three places CPS 230 programmes slip.

Patterns we see as entities move off the old CPS 231/232 world.

Mistake 01

Tolerances set, never tested.

Writing tolerance levels is the easy half. APRA expects evidence you can stay within them — from real scenario tests, not an assertion in a policy.

Fix: Schedule scenario tests against each tolerance; track results to remediation.
Mistake 02

A provider register that rots.

A material-service-provider register is only useful if it's current. New SaaS gets wired in monthly; an annual refresh means it's wrong most of the year — and blind to fourth parties.

Fix: Keep the register live, with provider changes captured as they happen.
Mistake 03

Continuity treated as a binder.

Carrying CPS 232's annual-BCP habit into CPS 230 misses the point. Operational resilience is continuous — critical operations and dependencies shift through the year.

Fix: Run the cycle continuously; review critical operations as the business changes.
APRA CPS 230 FAQ

Questions before your transition.

If yours isn't here, the contact form has a free-text field — answers go in the next page revision.

When does CPS 230 take effect?
CPS 230 is in force from 1 July 2025 for APRA-regulated entities. APRA has allowed transitional relief for some existing service-provider arrangements, which extends to 1 July 2026 — but the core operational risk, critical operations, and continuity obligations apply now.
What does it replace?
It consolidates and replaces CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management) — and the equivalent super standards (SPS 231/232) and HPS versions. Three previously separate programmes become one operational risk standard, which is why an integrated platform helps.
How is CPS 230 different from CPS 234?
CPS 234 is information security — protecting information assets. CPS 230 is operational risk and resilience — keeping critical operations running, managing providers, and continuity. They overlap on third parties and incidents, so Cybereen reuses the shared evidence across both rather than running them twice.
What counts as a "critical operation"?
An operation that, if disrupted, would have a material adverse impact on your depositors, policyholders, or members — or on financial stability. Think payments, claims, member servicing, settlement. You define and justify the list; the board approves it; tolerances and testing attach to each.
How does Cybereen handle the service-provider register?
Material service providers are tracked with their arrangements, the critical operations they support, and the fourth parties they rely on. Changes are captured as they happen and dated, so when APRA — or your board — asks "who do we depend on for payments?", the answer is current, not reconstructed.

Run CPS 230 as control work, not a project.

Map critical operations, set and test tolerances, keep the provider register live — on the same platform as CPS 234 and your ISO controls. Book a walk-through and we'll map it to your operations.

Book a 20-minute walk-through → See APRA CPS 234 (information security)
Other standards on Cybereen →
Essential Eight ISO 27001 ISO 27002 ISO 42001 APRA CPS 234 APRA CPS 230 NIST CSF 2.0