Paragraph 27. Systematic testing. Evidence your regulator expects.
CPS 234 does not literally say "penetration test". It says "systematic testing", and it leaves the frequency, depth and methodology to the regulated entity. In practice, APRA-regulated banks, superannuation funds, insurers, and their material service providers use manual penetration testing as the core evidence of paragraph 27 compliance. Cyber Node is a FinTech Australia member and works across the APRA-regulated population.
What the standard says
CPS 234 has been in force since 1 July 2019. The testing-related paragraphs below are the ones we scope engagements against.
Paragraph 27 — systematic testing
"An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with the rate at which the vulnerabilities and threats change, the criticality and sensitivity of the information asset, the consequences of an information security incident, the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies, and the materiality and frequency of change to information assets."
Paragraph 28 — control testing frequency
Testing must occur when there are material changes to information assets and at least annually. This is the clause most auditors reference when they ask how recently the last pen test ran.
Paragraph 20 to 22 — third party / material service providers
The entity's CPS 234 obligations extend to information assets managed by related parties and third parties. Material service providers are expected to provide equivalent assurance.
Paragraph 33 to 35 — notification of incidents
Material incidents must be notified to APRA within 72 hours. Pen test findings that surface such exposure are flagged accordingly in the report so the entity can meet the clock.
Independent assessment — periodic
APRA expects regulated entities to commission a periodic independent review of CPS 234 compliance. Pen test reports are typically one input to that review; Cyber Node is not the independent assessor.
What we deliver, what we refer
In scope for Cyber Node
External and internal pen testing of regulated information assets
Cloud and identity layer testing
Material service provider pen testing
Reports written for paragraph 27 evidence
Retest and remediation verification
Out of scope, we refer
Independent CPS 234 assessment
Assurance firms and internal audit functions.
Information security capability gap analysis
GRC consultancies.
Third party risk register and due diligence
GRC platforms like Vanta, Drata, or bespoke vendor management tooling.
APRA notification and incident response playbook
Specialist IR retainers.
CPS 230 operational risk program
Adjacent but distinct. We scope testing where it overlaps.
CPS 234 FAQ
Not in those words. CPS 234 paragraph 27 requires APRA-regulated entities to conduct systematic testing of information security controls. Paragraph 28 states the frequency must reflect the materiality, rate of change, and threat environment. Penetration testing is the standard form of evidence regulated entities use to meet paragraph 27.
Annually as a baseline, with an additional test following any material change, new product launch, or significant threat intelligence. Paragraph 28 is deliberately principles-based; your internal audit function and APRA's own thematic reviews set the expectation.
Yes. Paragraph 20 to 22 extends the entity's obligations to material service providers. A FinTech that processes data for an ADI or RSE is covered. Cyber Node scopes engagements for both the regulated entity and the material service provider.
We coordinate with internal audit, external assurance providers, and the CPS 234 independent assessment where one is underway. We do not deliver the independent assessment itself; that must be performed by an assurance firm.
CPS 230 is adjacent to CPS 234 and carries its own testing obligations around critical operations, including business continuity and service provider oversight. We scope pen tests to evidence relevant CPS 230 controls where in scope, particularly around critical IT systems and third party risk.