From au-apra-cps-234
APRA CPS 234 expert for Australian prudential information security. Reference-depth framework plugin with scope determination, evidence checklist, and SCF-backed assessment guidance.
How this skill is triggered — by the user, by Claude, or both
Slash command
/au-apra-cps-234:au-apra-cps-234-expertThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Reference-depth expertise for **APRA Prudential Standard CPS 234 Information
Reference-depth expertise for APRA Prudential Standard CPS 234 Information
Security, represented in SCF as apac-aus-ps-cps-234-2019. This plugin
bundles the SCF crosswalk (52 SCF controls to 38 framework controls) with
CPS 234-specific assessment context.
apac-aus-ps-cps-234-2019CPS 234 is APRA's prudential information security standard for regulated financial entities. It requires information security capability that is commensurate with threats, vulnerabilities, and the sensitivity and criticality of information assets. For GRC work, treat CPS 234 as an accountability and resilience framework: the assessor needs to see clear information-asset ownership, tested controls, incident response readiness, and board-level oversight of material information security risk.
CPS 234 applies to APRA-regulated entities, including authorised deposit-taking institutions, general insurers, life insurers, private health insurers, RSE licensees, and other regulated groups within APRA's prudential perimeter. Scope analysis should identify information assets managed directly, by related parties, or by third parties, including cloud and outsourced services. Do not limit the scope to systems hosted in Australia; assets and service providers are in scope when they support APRA-regulated operations.
Evidence usually centers on information security policy, asset classification and ownership records, control standards, control testing plans and results, incident response plans, board or senior management reporting, vulnerability and threat monitoring, third-party assurance, materiality criteria, and notification records. CPS 234 does not define a SOC-style report package, but APRA-regulated entities should be able to show that control design, operating effectiveness, and incident notification obligations are managed and tested.
Control testing frequency should be commensurate with vulnerabilities, threats, asset criticality, asset sensitivity, and previous test results. CPS 234 also requires timely notification to APRA for material information security incidents and for material control weaknesses that cannot be remediated quickly. Assessment output should preserve both the control-testing cadence rationale and the evidence that incidents and weaknesses were escalated under the entity's materiality criteria.
APRA supervises regulated entities through prudential standards, reporting, reviews, directions, and enforcement action. In assessment output, separate CPS 234 control evidence from legal advice about licensing, capital impacts, or specific enforcement exposure.
CPS 234 commonly overlaps with CPS 220 risk management, CPS 230 operational risk, CPS 231 outsourcing for legacy programs, ISO 27001, NIST CSF, SOC 2 security and availability criteria, PCI DSS for payment environments, and the Australian Essential Eight. Use the SCF crosswalk for control mechanics, but keep CPS 234 reporting focused on APRA-regulated information assets, control testing, materiality, third-party reliance, and notification readiness.
/au-apra-cps-234:scope - determine applicability/au-apra-cps-234:assess - run a gap assessment/au-apra-cps-234:evidence-checklist - enumerate evidence requirements/au-apra-cps-234:assess delegates to /grc-engineer:gap-assessment with SCF
framework ID apac-aus-ps-cps-234-2019 for the control-by-control mechanics,
and wraps the results in CPS 234-specific terminology.
Full-depth plugins add framework-specific workflow commands tied to the audit ritual. Candidates for this framework:
/au-apra-cps-234:asset-criticality-register - build or review information
asset ownership, sensitivity, criticality, and control coverage./au-apra-cps-234:control-testing-plan - map testing nature and frequency to
threats, vulnerabilities, asset criticality, and previous results./au-apra-cps-234:material-incident-triage - classify whether an incident or
control weakness likely requires APRA notification./au-apra-cps-234:third-party-assurance-review - assess reliance on related
parties and third-party control testing.Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Manages knowledge base ingestion, sync, and retrieval across local files, MCP memory, vector stores, and Git repos. Use for saving, organizing, deduplicating, or searching knowledge.
4plugins reuse this skill
First indexed Jul 18, 2026
npx claudepluginhub vantainc/claude-grc-engineering --plugin au-apra-cps-234