APRA CPS 230 Operational Risk Management

Australia

v2024

13 domains

57 controls

Australian Prudential Regulation Authority Prudential Standard CPS 230 sets out requirements for APRA-regulated entities to effectively manage operational risks, maintain business continuity, and manage risks from service provider arrangements. Effective 1 July 2025.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (13)

Assurance

1 controls

Controls in the Assurance domain of APRA CPS 230 Operational Risk Management — 1 controls
Code	Title	Description
CPS230-66	Independent Review	Periodic independent review of the operational risk framework is required.

Business Continuity

2 controls

Controls in the Business Continuity domain of APRA CPS 230 Operational Risk Management — 12 controls
Code	Title	Description
CPS230-25	Business Continuity Policy	The entity must maintain a business continuity policy approved by the Board covering all critical operations.
CPS230-26	Business Continuity Plans	The entity must maintain credible business continuity plans (BCPs) that detail actions, roles, and responsibilities for...
CPS230-27	Incident Management	Operational risk incidents must be recorded, investigated, escalated, and remediated.
CPS230-28	Recovery Objectives	BCPs must include recovery time objectives and recovery point objectives for critical operations and supporting resource...
CPS230-29	Communication Plans	BCPs must include communication plans for stakeholders including APRA, customers, employees, and service providers durin...
CPS230-30	Risk Culture	Entities must promote a sound risk culture across the organisation.
CPS230-31	Escalation Procedures	BCPs must include clear escalation procedures and criteria for invoking the plan.
CPS230-32	Dependencies Identification	BCPs must identify dependencies on people, technology, data, facilities, and service providers for each critical operati...
CPS230-33	BCP Testing	The entity must test BCPs for all critical operations with annual exercises, testing effectiveness and tolerance level a...
CPS230-34	Tailored Testing Programs	Testing programs must be tailored to material risks, including severe but plausible scenarios covering material service...
CPS230-36	Tolerance Levels for Disruption	Entities must set tolerance levels for the maximum disruption to critical operations.
CPS230-38	Business Continuity Plan	A documented business continuity plan must cover all critical operations and dependencies.

Business Continuity

11 controls

Requirements for business continuity planning (Paragraphs 25-36)

Controls in the Business Continuity domain of APRA CPS 230 Operational Risk Management — 12 controls
Code	Title	Description
CPS230-25	Business Continuity Policy	The entity must maintain a business continuity policy approved by the Board covering all critical operations.
CPS230-26	Business Continuity Plans	The entity must maintain credible business continuity plans (BCPs) that detail actions, roles, and responsibilities for...
CPS230-27	Incident Management	Operational risk incidents must be recorded, investigated, escalated, and remediated.
CPS230-28	Recovery Objectives	BCPs must include recovery time objectives and recovery point objectives for critical operations and supporting resource...
CPS230-29	Communication Plans	BCPs must include communication plans for stakeholders including APRA, customers, employees, and service providers durin...
CPS230-30	Risk Culture	Entities must promote a sound risk culture across the organisation.
CPS230-31	Escalation Procedures	BCPs must include clear escalation procedures and criteria for invoking the plan.
CPS230-32	Dependencies Identification	BCPs must identify dependencies on people, technology, data, facilities, and service providers for each critical operati...
CPS230-33	BCP Testing	The entity must test BCPs for all critical operations with annual exercises, testing effectiveness and tolerance level a...
CPS230-34	Tailored Testing Programs	Testing programs must be tailored to material risks, including severe but plausible scenarios covering material service...
CPS230-36	Tolerance Levels for Disruption	Entities must set tolerance levels for the maximum disruption to critical operations.
CPS230-38	Business Continuity Plan	A documented business continuity plan must cover all critical operations and dependencies.

Controls

1 controls

Controls in the Controls domain of APRA CPS 230 Operational Risk Management — 1 controls
Code	Title	Description
CPS230-24	Internal Controls	Entities must implement effective internal controls to manage identified operational risks.

Critical Operations

7 controls

Requirements for identifying and managing critical operations (Paragraphs 17-24)

Controls in the Critical Operations domain of APRA CPS 230 Operational Risk Management — 7 controls
Code	Title	Description
CPS230-17	Critical Operations Identification	The entity must identify its critical operations - processes, activities, services, and supporting resources that, if di...
CPS230-18	Critical Operations Register	The entity must maintain a register of critical operations, reviewed and updated at least annually.
CPS230-19	Critical Operation Tolerance Levels	The entity must set tolerance levels for disruption to each critical operation, approved by the Board, specifying maximu...
CPS230-20	Capability to Remain Within Tolerance	The entity must maintain the capability to continue critical operations within tolerance levels through severe but plaus...
CPS230-22	Vulnerability and Gap Identification	The entity must identify vulnerabilities and gaps in its ability to remain within tolerance levels and develop plans to...
CPS230-23	Regular Testing	The entity must test its ability to maintain critical operations within tolerance levels at least annually, including th...
CPS230-24	Internal Controls	Entities must implement effective internal controls to manage identified operational risks.

Governance

3 controls

Controls in the Governance domain of APRA CPS 230 Operational Risk Management — 3 controls
Code	Title	Description
CPS230-13	Board Accountability	The Board is ultimately accountable for the operational risk management of the regulated entity.
CPS230-14	Senior Management Roles	Senior management must have clearly defined roles and responsibilities for operational risk management.
CPS230-30	Risk Culture	Entities must promote a sound risk culture across the organisation.

Operational Risk Management Framework

10 controls

Requirements for establishing and maintaining an operational risk management framework (Paragraphs 7-16)

Controls in the Operational Risk Management Framework domain of APRA CPS 230 Operational Risk Management — 10 controls
Code	Title	Description
CPS230-10	Operational Risk Management Policy	The entity must maintain an operational risk management policy covering identification, assessment, management, monitori...
CPS230-11	Risk Identification and Assessment	The entity must identify and assess operational risks arising from people, processes, technology, external events, and l...
CPS230-12	Internal Controls and Systems	The entity must maintain adequate internal controls, information and technology systems to manage operational risk withi...
CPS230-13	Board Accountability	The Board is ultimately accountable for the operational risk management of the regulated entity.
CPS230-14	Senior Management Roles	Senior management must have clearly defined roles and responsibilities for operational risk management.
CPS230-15	Operational Risk Framework	Entities must maintain a documented operational risk management framework proportionate to size and complexity.
CPS230-16	Internal Audit Review	Internal audit must periodically review the operational risk management framework and report findings to the Board.
CPS230-7	Board Responsibility	The Board is ultimately responsible for oversight of operational risk management and must approve the entity's operation...
CPS230-8	Board Tolerance Levels	The Board must set tolerance levels for operational risk disruptions to critical operations and review them annually.
CPS230-9	Senior Management Accountability	Senior management is responsible for implementing the operational risk management framework in line with Board-approved...

Operations

2 controls

Controls in the Operations domain of APRA CPS 230 Operational Risk Management — 2 controls
Code	Title	Description
CPS230-27	Incident Management	Operational risk incidents must be recorded, investigated, escalated, and remediated.
CPS230-70	Change Management	Material changes to critical operations or service providers must follow defined change management.

Regulatory

1 controls

Controls in the Regulatory domain of APRA CPS 230 Operational Risk Management — 1 controls
Code	Title	Description
CPS230-60	APRA Notification of Provider Arrangements	Material service provider arrangements must be notified to APRA prior to entering.

Reporting

1 controls

Controls in the Reporting domain of APRA CPS 230 Operational Risk Management — 1 controls
Code	Title	Description
CPS230-63	Operational Risk Reporting	Material operational risk events and trends must be reported to the Board and APRA.

Risk Management

1 controls

Controls in the Risk Management domain of APRA CPS 230 Operational Risk Management — 1 controls
Code	Title	Description
CPS230-15	Operational Risk Framework	Entities must maintain a documented operational risk management framework proportionate to size and complexity.

Service Provider Management

12 controls

Requirements for managing material service providers (Paragraphs 37-49)

Controls in the Service Provider Management domain of APRA CPS 230 Operational Risk Management — 12 controls
Code	Title	Description
CPS230-37	Service Provider Management Policy	The entity must maintain comprehensive service provider management policies covering identification of material service...
CPS230-38	Business Continuity Plan	A documented business continuity plan must cover all critical operations and dependencies.
CPS230-39	Material Service Provider Identification	The entity must identify and register material service providers - those undertaking critical operations or exposing ent...
CPS230-40	Material Classification	Entities must classify specific arrangements as material: for ADIs - credit assessment, funding, liquidity management; f...
CPS230-42	APRA Classification Power	APRA may require classification of service providers, types, or arrangements as material for entities or classes of enti...
CPS230-43	Due Diligence	Before entering into or materially modifying material arrangements, entities must conduct due diligence including select...
CPS230-44	Service Provider Risk Identification	Entities must identify and assess service provider arrangements material to operations.
CPS230-45	APRA Access Provisions	Formal agreements must include provisions allowing APRA documentation, data and information access; APRA on-site visit r...
CPS230-46	Ongoing Risk Management	For each material arrangement, entities must identify and manage risks affecting ongoing service provision, step-in and...
CPS230-47	Monitoring and Reporting	Entities must monitor material arrangements and ensure senior management reporting including regular performance assessm...
CPS230-48	Service Provider Due Diligence	Due diligence must be conducted on material service providers prior to engagement and ongoing.
CPS230-49	Internal Audit of Service Providers	Internal audit must review proposed material critical operation outsourcing arrangements and regularly report to the Boa...

Third Party

5 controls

Controls in the Third Party domain of APRA CPS 230 Operational Risk Management — 5 controls
Code	Title	Description
CPS230-44	Service Provider Risk Identification	Entities must identify and assess service provider arrangements material to operations.
CPS230-48	Service Provider Due Diligence	Due diligence must be conducted on material service providers prior to engagement and ongoing.
CPS230-50	Service Provider Contracts	Contracts with material providers must include APRA-mandated clauses including access, audit, and termination rights.
CPS230-53	Service Provider Monitoring	Ongoing monitoring of material service providers must include performance, compliance, and risk indicators.
CPS230-57	Concentration Risk	Entities must assess concentration risk across service providers and geographic regions.

Your Compliance Coverage

If you comply with APRA CPS 230 Operational Risk Management, you already cover:

NIST SP 800-53 Rev 5

55%

26 controls mapped

Compare →

FedRAMP Rev 5

19%

9 controls mapped

Compare →

Annex 11 to EU GMP - Computerised Systems

19%

9 controls mapped

Compare →

+ 255 more: NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security (17%), NIST Privacy Framework (17%)

See all 258 mapped frameworks ↓

Maps to 258 other frameworks

47 total controls

NIST SP 800-53 Rev 5

26 source controls mapped|23 target controls covered

55%

FedRAMP Rev 5

9 source controls mapped|4 target controls covered

19%

Annex 11 to EU GMP - Computerised Systems

9 source controls mapped|4 target controls covered

19%

NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security

8 source controls mapped|3 target controls covered

17%

NIST Privacy Framework

8 source controls mapped|3 target controls covered

17%

NIS2 Directive

8 source controls mapped|5 target controls covered

17%

NERC CIP

8 source controls mapped|3 target controls covered

17%

IEEE 1686

8 source controls mapped|4 target controls covered

17%

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

8 source controls mapped|7 target controls covered

17%

API 1164

8 source controls mapped|8 target controls covered

17%

NIST Cybersecurity Framework 2.0

8 source controls mapped|12 target controls covered

17%

ISO 27019

8 source controls mapped|8 target controls covered

17%

IEC 62443

8 source controls mapped|8 target controls covered

17%

ISO 28001:2007 Supply Chain Security Management

8 source controls mapped|3 target controls covered

17%

NIST AI Risk Management Framework (AI RMF 1.0)

8 source controls mapped|8 target controls covered

17%

NIST SP 1800-32

8 source controls mapped|7 target controls covered

17%

NIS2 Directive Implementing Acts

8 source controls mapped|3 target controls covered

17%

ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

7 source controls mapped|4 target controls covered

15%

PSD2 SCA

7 source controls mapped|4 target controls covered

15%

OSFI B-13

7 source controls mapped|5 target controls covered

15%

Open Banking Security

7 source controls mapped|3 target controls covered

15%

Nevada Gaming Control Board Cybersecurity Requirements

7 source controls mapped|4 target controls covered

15%

MTCS (Singapore)

7 source controls mapped|4 target controls covered

15%

Monetary Authority of Singapore Technology Risk Management Guidelines

7 source controls mapped|3 target controls covered

15%

HKMA SPM

7 source controls mapped|2 target controls covered

15%

HKMA Cyber Resilience Assessment Framework (C-RAF)

7 source controls mapped|3 target controls covered

15%

GLBA

7 source controls mapped|3 target controls covered

15%

PCI PIN Security

7 source controls mapped|8 target controls covered

15%

FFIEC IT Examination Handbook

7 source controls mapped|8 target controls covered

15%

SSAE 18 - Attestation Standards (SOC Reporting)

7 source controls mapped|8 target controls covered

15%

PCI SSF

7 source controls mapped|8 target controls covered

15%

PCI P2PE

7 source controls mapped|8 target controls covered

15%

APRA CPS 234

7 source controls mapped|8 target controls covered

15%

IRM Enterprise Risk Management Framework (Institute of Risk Management)

6 source controls mapped|2 target controls covered

13%

ICAO Annex 17 - Aviation Security (AVSEC)

6 source controls mapped|2 target controls covered

13%

German Supply Chain Due Diligence Act (LkSG)

6 source controls mapped|3 target controls covered

13%

Authorised Economic Operator (AEO) Programmes - Global Standards

6 source controls mapped|5 target controls covered

13%

FBI CJIS Security Policy

6 source controls mapped|2 target controls covered

13%

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

6 source controls mapped|5 target controls covered

13%

AS9100D - Aerospace Quality Management System

6 source controls mapped|7 target controls covered

13%

ISO/IEC 27003:2017

6 source controls mapped|7 target controls covered

13%

ISO/IEC 23894:2023

6 source controls mapped|7 target controls covered

13%

ISO 27001:2022

6 source controls mapped|8 target controls covered

13%

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

6 source controls mapped|3 target controls covered

13%

SASB Standards

5 source controls mapped|2 target controls covered

11%

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

5 source controls mapped|2 target controls covered

11%

ICH Q10 - Pharmaceutical Quality System

5 source controls mapped|2 target controls covered

11%

IAEA Nuclear Security Series - Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

5 source controls mapped|3 target controls covered

11%

ISO/IEC 27010:2015

5 source controls mapped|3 target controls covered

11%

ISO 20400:2017 - Sustainable Procurement

5 source controls mapped|4 target controls covered

11%

ISO 41001:2018 - Facility Management Systems

5 source controls mapped|6 target controls covered

11%

ISO 39001:2012 - Road Traffic Safety Management

5 source controls mapped|6 target controls covered

11%

ISO 50001:2018 - Energy Management Systems

5 source controls mapped|6 target controls covered

11%

ISO 22313:2020 - Guidance on Business Continuity Management Systems

5 source controls mapped|6 target controls covered

11%

ISO 22316

5 source controls mapped|5 target controls covered

11%

ISO 22317

5 source controls mapped|5 target controls covered

11%

ISO 22318

5 source controls mapped|5 target controls covered

11%

ASIS SPC.1-2009 - Organizational Resilience Standard

5 source controls mapped|3 target controls covered

11%

FFIEC Cybersecurity Assessment Tool (CAT)

5 source controls mapped|4 target controls covered

11%

NFPA 1600 - Standard on Continuity, Emergency, and Crisis Management

5 source controls mapped|6 target controls covered

11%

ISO 22320:2018

5 source controls mapped|4 target controls covered

11%

EASA Part-IS - Information Security in Aviation

5 source controls mapped|8 target controls covered

11%

New Zealand Information Security Manual (NZISM)

5 source controls mapped|3 target controls covered

11%

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

5 source controls mapped|3 target controls covered

11%

BS 65000:2014 - Guidance on Organizational Resilience

5 source controls mapped|2 target controls covered

11%

UK FCA/PRA Operational Resilience Framework

4 source controls mapped|3 target controls covered

PAS 1192-5:2015 - Security-Minded Approach to BIM and Digital Built Environments

4 source controls mapped|2 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

4 source controls mapped|3 target controls covered

ISO/IEC 27011:2024

4 source controls mapped|3 target controls covered

ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories

4 source controls mapped|2 target controls covered

TSA Pipeline Cybersecurity Directives

4 source controls mapped|2 target controls covered

Protective Security Policy Framework (PSPF) Release 2024

4 source controls mapped|1 target controls covered

Oman National Cybersecurity Framework

4 source controls mapped|2 target controls covered

NIST SP 800-146

4 source controls mapped|3 target controls covered

NIST SP 800-145

4 source controls mapped|3 target controls covered

NIST SP 800-144

4 source controls mapped|4 target controls covered

ISMAP (Japan)

4 source controls mapped|3 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

4 source controls mapped|6 target controls covered

FIRST CSIRT Services Framework and Standards

4 source controls mapped|1 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

4 source controls mapped|5 target controls covered

Azure Security Benchmark

4 source controls mapped|4 target controls covered

AWS Well-Architected Security Pillar

4 source controls mapped|4 target controls covered

NIST SP 800-190

4 source controls mapped|4 target controls covered

ISO 27017

4 source controls mapped|4 target controls covered

ISO 27018

4 source controls mapped|4 target controls covered

ISO/IEC 27557:2022 - Organisational Privacy Risk Management

4 source controls mapped|7 target controls covered

UK AI Regulation Framework

4 source controls mapped|1 target controls covered

SEC Climate Disclosure Rule

4 source controls mapped|1 target controls covered

Own Risk and Solvency Assessment (ORSA) - NAIC Model Act

4 source controls mapped|2 target controls covered

OECD AI Principles

4 source controls mapped|2 target controls covered

O-RAN WG11 Security Specification

4 source controls mapped|1 target controls covered

NIST SP 800-39

4 source controls mapped|3 target controls covered

NIST SP 800-37

4 source controls mapped|4 target controls covered

NIST SP 800-30

4 source controls mapped|6 target controls covered

Lloyd's of London Cyber Insurance Requirements and Underwriting Standards

4 source controls mapped|2 target controls covered

Japan AI Guidelines

4 source controls mapped|4 target controls covered

IEEE 7000

4 source controls mapped|2 target controls covered

AML/CTF Act 2006 (Australia)

4 source controls mapped|2 target controls covered

APRA SPS 220 Risk Management (Superannuation)

4 source controls mapped|4 target controls covered

ISO 27005

4 source controls mapped|6 target controls covered

ISO 31000

4 source controls mapped|6 target controls covered

ISO/IEC 27031:2011

4 source controls mapped|6 target controls covered

Modern Slavery Act 2018 (Australia)

3 source controls mapped|3 target controls covered

UK Gambling Commission - Cyber Resilience Requirements

3 source controls mapped|1 target controls covered

SA8000:2014 - Social Accountability Standard

3 source controls mapped|2 target controls covered

OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (2023 Update)

3 source controls mapped|1 target controls covered

IATF 16949:2016 - Quality Management System for Automotive Production

3 source controls mapped|3 target controls covered

GLOBALG.A.P. Integrated Farm Assurance (IFA) Standard v6

3 source controls mapped|1 target controls covered

GAMP 5 - Good Automated Manufacturing Practice

3 source controls mapped|2 target controls covered

French Sapin II Law (Law No. 2016-1691)

3 source controls mapped|2 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

3 source controls mapped|3 target controls covered

NIST SP 800-124 Revision 2 - Guidelines for Managing the Security of Mobile Devices

3 source controls mapped|1 target controls covered

Nigeria Open Banking Regulatory Framework (CBN, 2023)

3 source controls mapped|2 target controls covered

Japan FSA Cybersecurity Guidelines for Financial Institutions

3 source controls mapped|2 target controls covered

India CERT-In Cyber Security Directions 2022

3 source controls mapped|2 target controls covered

IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems

3 source controls mapped|3 target controls covered

Ghana Cybersecurity Act

3 source controls mapped|4 target controls covered

FISMA

3 source controls mapped|3 target controls covered

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)

3 source controls mapped|5 target controls covered

BSI IT-Grundschutz

3 source controls mapped|7 target controls covered

ISO/IEC 29147:2018

3 source controls mapped|5 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

3 source controls mapped|6 target controls covered

AICPA Privacy Management Framework (PMF)

3 source controls mapped|3 target controls covered

ISO/IEC 23837 - Security Requirements for Quantum Key Distribution

3 source controls mapped|2 target controls covered

OECD Recommendation on Artificial Intelligence (2024 Update)

3 source controls mapped|1 target controls covered

OCC Heightened Standards (12 CFR Part 30, Appendix D)

3 source controls mapped|2 target controls covered

ICMM Mining Principles (2024 Update)

3 source controls mapped|1 target controls covered

ICH E6(R3) - Good Clinical Practice

3 source controls mapped|1 target controls covered

GLI-33 - Gaming Laboratories International Event Wagering Systems

3 source controls mapped|1 target controls covered

IEC 60601-1 - Medical Electrical Equipment Safety

3 source controls mapped|3 target controls covered

Aged Care Quality Standards (Australia)

3 source controls mapped|1 target controls covered

ISO/IEC 38500:2024 - Governance of IT

3 source controls mapped|1 target controls covered

IAIS Insurance Core Principles (ICPs)

3 source controls mapped|2 target controls covered

ISO 37000:2021 - Governance of Organizations

3 source controls mapped|2 target controls covered

IEC 62304:2015 Medical Device Software Lifecycle Processes

3 source controls mapped|3 target controls covered

TISAX - Trusted Information Security Assessment Exchange

2 source controls mapped|1 target controls covered

OWASP Top 10 for LLM Applications 2025

2 source controls mapped|1 target controls covered

GS1 Global Standards - Supply Chain Traceability and Data Security

2 source controls mapped|2 target controls covered

FDA Quality Management System Regulation (QMSR)

2 source controls mapped|1 target controls covered

21 CFR Part 211 - Current Good Manufacturing Practice

2 source controls mapped|1 target controls covered

BRCGS Global Standard for Food Safety Issue 9

2 source controls mapped|1 target controls covered

Automotive SPICE (ASPICE) v4.0 - Process Assessment Model

2 source controls mapped|1 target controls covered

ISO/IEC 27006:2024

2 source controls mapped|1 target controls covered

BREEAM - Building Research Establishment Environmental Assessment Method

2 source controls mapped|1 target controls covered

ISO 26000:2010

2 source controls mapped|1 target controls covered

Space ISAC (Information Sharing and Analysis Center) - Threat Framework

2 source controls mapped|1 target controls covered

Virginia CDPA

2 source controls mapped|1 target controls covered

Vietnam PDPD

2 source controls mapped|2 target controls covered

Uruguay DPL

2 source controls mapped|2 target controls covered

UK GDPR (UK General Data Protection Regulation)

2 source controls mapped|1 target controls covered

Turkey KVKK

2 source controls mapped|2 target controls covered

Texas Data Privacy Act

2 source controls mapped|2 target controls covered

Taiwan PDPA

2 source controls mapped|1 target controls covered

Qatar DPL

2 source controls mapped|3 target controls covered

Privacy Act 2020

2 source controls mapped|2 target controls covered

POPIA

2 source controls mapped|2 target controls covered

Personal Data Act (personopplysningsloven)

2 source controls mapped|2 target controls covered

PDPA Thailand

2 source controls mapped|2 target controls covered

PDPA Singapore

2 source controls mapped|2 target controls covered

Oregon Consumer Privacy Act

2 source controls mapped|2 target controls covered

NIST SP 800-122

2 source controls mapped|2 target controls covered

Nigeria Data Protection Regulation (NDPR)

2 source controls mapped|1 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

2 source controls mapped|5 target controls covered

Nebraska Data Privacy Act

2 source controls mapped|5 target controls covered

New Jersey Data Privacy Act

2 source controls mapped|3 target controls covered

New Hampshire Data Privacy Act

2 source controls mapped|2 target controls covered

Montana Consumer Data Privacy Act

2 source controls mapped|2 target controls covered

Minnesota Consumer Data Privacy Act

2 source controls mapped|2 target controls covered

Mexico LFPDPPP

2 source controls mapped|2 target controls covered

Mauritius DPA

2 source controls mapped|2 target controls covered

Maryland Online Data Privacy Act of 2024

2 source controls mapped|3 target controls covered

Malaysia PDPA 2010

2 source controls mapped|3 target controls covered

Liechtenstein DPA

2 source controls mapped|2 target controls covered

LGPD

2 source controls mapped|2 target controls covered

Ley Orgánica de Protección de Datos Personales (LOPDP)

2 source controls mapped|2 target controls covered

Law No. 172-13 on the Protection of Personal Data

2 source controls mapped|2 target controls covered

South Korea PIPA

2 source controls mapped|2 target controls covered

Kentucky Consumer Data Protection Act

2 source controls mapped|3 target controls covered

Jamaica Data Protection Act 2020

2 source controls mapped|3 target controls covered

Iowa Consumer Data Protection Act

2 source controls mapped|3 target controls covered

Indonesia PDP Law

2 source controls mapped|3 target controls covered

Indiana Consumer Data Protection Act

2 source controls mapped|2 target controls covered

India DPDP Act

2 source controls mapped|2 target controls covered

Iceland Data Protection and Processing of Personal Data Act (Act No. 90/2018)

2 source controls mapped|1 target controls covered

Family Educational Rights and Privacy Act (FERPA)

2 source controls mapped|1 target controls covered

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)

2 source controls mapped|2 target controls covered

APPI

2 source controls mapped|3 target controls covered

Bahrain PDPL

2 source controls mapped|3 target controls covered

Barbados Data Protection Act 2019

2 source controls mapped|1 target controls covered

ISO/IEC 30111:2019

2 source controls mapped|4 target controls covered

SOC 2

2 source controls mapped|4 target controls covered

Florida Digital Bill of Rights (FDBR)

2 source controls mapped|2 target controls covered

NAIC Insurance Data Security Model Law (MDL-668)

2 source controls mapped|3 target controls covered

ISO/IEC 29134:2023

2 source controls mapped|4 target controls covered

SLSA

2 source controls mapped|1 target controls covered

SIG (Shared Assessments)

2 source controls mapped|1 target controls covered

PTES

2 source controls mapped|2 target controls covered

OWASP SAMM

2 source controls mapped|2 target controls covered

OWASP MASVS

2 source controls mapped|2 target controls covered

OpenSSF Scorecard

2 source controls mapped|2 target controls covered

NIST SP 800-92

2 source controls mapped|2 target controls covered

NIST SP 800-88

2 source controls mapped|2 target controls covered

NIST SP 800-63-4

2 source controls mapped|2 target controls covered

NIST SP 800-61

2 source controls mapped|1 target controls covered

NIST SP 800-137

2 source controls mapped|2 target controls covered

NIST SP 800-123

2 source controls mapped|1 target controls covered

NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)

2 source controls mapped|2 target controls covered

MITRE D3FEND

2 source controls mapped|2 target controls covered

MITRE ATT&CK

2 source controls mapped|1 target controls covered

ISO/SAE 21434

2 source controls mapped|2 target controls covered

ISO 27043

2 source controls mapped|2 target controls covered

ISO 56002

2 source controls mapped|3 target controls covered

ISO 37002:2021 - Whistleblowing Management Systems

2 source controls mapped|3 target controls covered

US EPA Safe Drinking Water Act (SDWA) - Cybersecurity Requirements

1 source controls mapped|1 target controls covered

Voluntary Principles on Security and Human Rights (VPs)

1 source controls mapped|1 target controls covered

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

1 source controls mapped|1 target controls covered

Trinidad and Tobago Data Protection Act 2011

1 source controls mapped|1 target controls covered

Tanzania Personal Data Protection Act (Draft)

1 source controls mapped|1 target controls covered

Singapore Cybersecurity Act 2018

1 source controls mapped|1 target controls covered

Peru DPL

1 source controls mapped|2 target controls covered

Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)

1 source controls mapped|1 target controls covered

Pakistan Personal Data Protection Bill 2023

1 source controls mapped|1 target controls covered

Laos Law on Prevention and Combating Cybercrime (2015)

1 source controls mapped|1 target controls covered

HITECH Act

1 source controls mapped|1 target controls covered

ISO/IEC 27400:2022

1 source controls mapped|1 target controls covered

Canada ITSG-33 - IT Security Risk Management

1 source controls mapped|1 target controls covered

COSO Internal Control - Integrated Framework (2013)

1 source controls mapped|1 target controls covered

NIST SP 800-171

1 source controls mapped|1 target controls covered

ISO 20000-1

1 source controls mapped|1 target controls covered

ITIL 4

1 source controls mapped|1 target controls covered

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

1 source controls mapped|4 target controls covered

IFRS 17 - Insurance Contracts

1 source controls mapped|1 target controls covered

GHG Protocol

1 source controls mapped|1 target controls covered

UNICEF Policy Guidance on AI for Children (2021)

1 source controls mapped|1 target controls covered

UNESCO Recommendation on the Ethics of AI

1 source controls mapped|1 target controls covered

NIST SP 800-66

1 source controls mapped|1 target controls covered

MDS2 (Medical Device)

1 source controls mapped|1 target controls covered

MARS-E

1 source controls mapped|1 target controls covered

FSSC 22000 - Food Safety System Certification

1 source controls mapped|1 target controls covered

FDA 21 CFR Part 11

1 source controls mapped|1 target controls covered

FATF Recommendation 16 - Virtual Asset Travel Rule

1 source controls mapped|1 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

1 source controls mapped|1 target controls covered

ISO/IEC 27014:2020

1 source controls mapped|2 target controls covered

ISO 13485

1 source controls mapped|1 target controls covered

ISO 45001

1 source controls mapped|1 target controls covered

ISO 27799

1 source controls mapped|1 target controls covered

FedRAMP High

1 source controls mapped|2 target controls covered

NIST SP 800-53 Revision 5.1 HIGH

1 source controls mapped|2 target controls covered

FedRAMP Moderate

1 source controls mapped|2 target controls covered

NIST SP 800-53 Rev 5 MODERATE

1 source controls mapped|2 target controls covered

NIST SP 800-53 Rev 5 LOW

1 source controls mapped|2 target controls covered

GDPR

1 source controls mapped|1 target controls covered

ISO 22000

1 source controls mapped|1 target controls covered

ISO 26262:2018 - Functional Safety for Road Vehicles

1 source controls mapped|1 target controls covered

UN Guiding Principles on Business and Human Rights (UNGPs)

1 source controls mapped|1 target controls covered

Secure by Design: A Guide for Manufacturers (CISA)

1 source controls mapped|2 target controls covered

NABERS - National Australian Built Environment Rating System

1 source controls mapped|1 target controls covered

DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)

1 source controls mapped|1 target controls covered

Compare APRA CPS 230 Operational Risk Management with NIST SP 800-53 Rev 5

Frequently Asked Questions

What is APRA CPS 230 Operational Risk Management?

APRA CPS 230 Operational Risk Management is a compliance framework from Australia with 13 domains and 57 controls. Australian Prudential Regulation Authority Prudential Standard CPS 230 sets out requirements for APRA-regulated entities to effectively manage operational risks, maintain business continuity, and manage risks from service provider arrangements. Effective 1 July 2025. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does APRA CPS 230 Operational Risk Management have?

APRA CPS 230 Operational Risk Management has 57 controls organised across 13 domains. The largest domains are Service Provider Management (12 controls), Business Continuity (11 controls), Operational Risk Management Framework (10 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does APRA CPS 230 Operational Risk Management map to?

APRA CPS 230 Operational Risk Management maps to 258 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (55% coverage), FedRAMP Rev 5 (19% coverage), Annex 11 to EU GMP - Computerised Systems (19% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with APRA CPS 230 Operational Risk Management compliance?

Start your APRA CPS 230 Operational Risk Management compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about APRA CPS 230 Operational Risk Management requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 57 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required