Zettagrid's Guide to Compliance with APRA's CPS 230 and CPS 234 Standards
Notices
Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current Zettagrid product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Zettagrid Pty Ltd or its affiliates.
Zettagrid products and services are provided under the terms of the applicable Zettagrid customer agreement. The responsibilities and liabilities of Zettagrid to its customers are controlled by Zettagrid customer agreements, and this document is not part of, nor does it modify, any agreement between Zettagrid and its customers.1
Overview
Background
APRA is the primary financial regulator in Australia. APRA oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurance, friendly societies, and most members of the superannuation industry (APRA regulated institutions or ARIs).
Introduction of CPS 230
On July 17, 2023, APRA published Prudential Standard CPS 230 Operational Risk Management, aimed at ensuring ARIs effectively manage their operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers. CPS 230 came into effect on 1 July 2025 and replaces five existing standards, including CPS 231 Outsourcing and CPS 232 Business Continuity. ARIs with pre-existing service provider agreements have until 1 July 2026 to update those agreements in accordance with CPS 230.
CPS 234 Information Security has been in force since 1 July 2019 and requires ARIs to maintain information security capabilities commensurate with information security vulnerabilities and threats, including those relating to information assets managed by third parties.
About This Guide
This document provides information to assist APRA-regulated institutions that use Zettagrid infrastructure services as they assess their compliance obligations under CPS 230 and CPS 234.
ARIs can use this information for their due diligence and implementation of an appropriate information security, risk management, and governance program for their use of Zettagrid services.
This guide references Zettagrid’s Terms and Conditions available at https://www.zettagrid.com/terms
Zettagrid Services and the Shared Responsibility Model
Zettagrid and the financial services industry share a common interest in maintaining operational resilience. Continuity of services, especially for critical functions, is a key prerequisite for financial stability. Zettagrid recognises that financial institutions that use Zettagrid services need to comply with sector-specific regulatory obligations and internal requirements regarding operational resilience, such as CPS 230.
Shared Responsibility Model
Zettagrid’s Standard Form of Agreement (SFOA) expressly incorporates a Shared Responsibility Model for cybersecurity (clause 3.5). The SFOA recognises that cybersecurity is a shared responsibility between Zettagrid and the customer, and sets out the respective obligations of each party:
Responsibility Area | Description |
Zettagrid Responsibility (SFOA cl 3.5.3) | Zettagrid is responsible for the security of the infrastructure underlying the services, including physical data centre security, network infrastructure, hypervisor and storage platforms. Zettagrid implements and maintains appropriate technical and organisational measures to protect its infrastructure. |
Customer Responsibility (SFOA cl 3.5.2) | The customer is responsible for security within their own environment, including access management, data classification, application security, endpoint management, business continuity planning, and ensuring that their use of services complies with applicable laws and regulations. The customer retains ownership of all customer data at all times (SFOA cl 4.2). |
This contractual shared responsibility model is fundamental to understanding the respective roles of Zettagrid and its customers. CPS 230 and CPS 234 place obligations on the ARI (the regulated entity), not directly on the service provider. The ARI must satisfy itself that its service provider arrangements meet APRA’s expectations through its own due diligence and risk assessment.
Zettagrid Security and Compliance Posture
Zettagrid maintains a comprehensive security and compliance program designed to protect the confidentiality, integrity, and availability of customer systems and data. Key elements include:
Infrastructure Security
Australian-based data centres with physical security controls including biometric access, 24/7 CCTV monitoring, and security personnel
Data sovereignty: all customer data is stored and processed within Australia (SFOA cl 4.6)
Redundant network infrastructure with multiple upstream providers for internet services
Enterprise-grade storage and compute platforms with built-in redundancy
Network segmentation and firewall controls between customer environments
Certifications and Attestations
Zettagrid maintains the following certifications and attestations relevant to APRA-regulated customers:
ISO/IEC 27001 certified Information Security Management System (ISMS)
Regular independent penetration testing
Annual security assessments
Zettagrid’s ISO 27001 certification demonstrates that Zettagrid has implemented a systematic approach to managing sensitive information, including people, processes, and IT systems. This internationally recognised standard provides assurance to APRA-regulated customers that Zettagrid’s information security controls meet rigorous, independently audited benchmarks.
Customers may request copies of relevant certifications and audit reports through their Zettagrid account manager.
Incident Management
Formal incident response policy and procedures
24/7 monitoring and alerting for infrastructure and service health
Defined escalation procedures and communication processes
Post-incident review and continuous improvement
Zettagrid’s SFOA includes specific Cyber Security Incident provisions (clause 4.13). In the event of a Cyber Security Incident affecting customer data, Zettagrid will:
Notify the affected customer within 8 Business Hours of becoming aware of the incident (SFOA cl 4.13.2)
Comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (SFOA cl 4.13.4)
Provide access to relevant information for regulatory authorities investigating a specific security incident affecting the customer (SFOA cl 4.13.6)
These contractual commitments directly support an ARI’s ability to meet its APRA notification obligations under CPS 234, which requires notification to APRA within 72 hours of a material information security incident.
CPS 230 - Operational Risk Management
CPS 230 requires ARIs to effectively manage their operational risks, maintain critical operations during disruptions, and manage the risks associated with service providers. The following table maps the key CPS 230 requirements to how Zettagrid’s existing services and practices address them:
CPS 230 Requirement | Zettagrid Position |
Service provider agreements (cl 54(b)) | Zettagrid’s SFOA General Terms and Conditions (available at https://www.zettagrid.com/terms/ ), together with the relevant Service Description, form the service agreement. These terms address service levels (SFOA cl 3.14, with availability targets and service level rebates), liability, confidentiality, data ownership (cl 4.2), data sovereignty (cl 4.6 - data stored in Australia), cybersecurity shared responsibility (cl 3.5), and cyber security incident notification (cl 4.13). ARIs should review these terms as part of their CPS 230 due diligence. |
Auditor access (cl 54(b)) | Zettagrid will cooperate with reasonable requests for information from an ARI’s auditors. Zettagrid provides ISO 27001 certification, audit reports, and security documentation that ARIs and their auditors can use for assurance purposes. Zettagrid’s SFOA also provides for regulatory authority access in relation to specific security incidents (cl 4.13.6). Site inspections may be arranged through the account management process. |
Subcontracting (cl 54(d) & (e)) | Zettagrid’s service delivery relies on established infrastructure partners (data centres, upstream network providers). Details of material subcontractors relevant to an ARI’s services are available on request. |
Force majeure (cl 54(f)) | Zettagrid’s SFOA addresses force majeure events. Zettagrid maintains business continuity plans and redundant infrastructure to minimise the impact of disruptions. |
Termination (cl 54(g)) | Zettagrid’s SFOA includes provisions for termination by either party. Zettagrid will cooperate with reasonable transition requirements to support an orderly transition of services. |
APRA access (cl 54(c), 55, 57) | Zettagrid’s SFOA already provides for regulatory authority access in the context of specific Cyber Security Incidents (cl 4.13.6). Zettagrid will cooperate with reasonable requests for information from APRA, provided through the ARI, subject to appropriate verification of identity and scope. Zettagrid also provides ISO 27001 certification and compliance documentation that ARIs can share with APRA as evidence of their due diligence. |
Important: CPS 230 places the obligation on the ARI to manage service provider risks. It does not require service providers to sign specific forms of agreement. ARIs are responsible for conducting their own risk assessment of Zettagrid’s services and satisfying themselves that the arrangement meets APRA’s expectations.
CPS 234 - Information Security
CPS 234 requires ARIs to maintain information security capabilities commensurate with information security vulnerabilities and threats, including for information assets managed by third parties. The following outlines how Zettagrid’s practices align with the key areas of CPS 234:
Information Security Capability
Zettagrid maintains an information security capability commensurate with the size and extent of threats to its information assets. This includes dedicated security personnel, security tooling, and regular training. Zettagrid’s compliance programs and certifications provide assurance of the policies, processes, and controls in place.
Zettagrid considers the development and maintenance of an ARI’s own information security capability as the ARI’s responsibility. Zettagrid provides the tools, documentation, and transparency to support ARIs in meeting these requirements.
Information Security Policy Framework
Zettagrid maintains formal, documented policies and procedures that provide guidance for operations and information security. These policies address purpose, scope, roles, responsibilities, and management commitment.
Zettagrid considers the development and maintenance of an ARI’s information security policy framework as the ARI’s responsibility. Zettagrid’s documentation and certifications can inform the ARI’s policy framework as it relates to Zettagrid services.
Information Asset Classification
Zettagrid classifies and manages its own information assets by criticality and sensitivity. Zettagrid services are content-agnostic — Zettagrid provides the same high level of infrastructure security regardless of the type of content being stored or transmitted.
Zettagrid considers the identification and classification of an ARI’s own information assets as the ARI’s responsibility. The ARI retains complete control of how they choose to classify their content, where it is stored, and how it is protected.
Implementation of Controls
Zettagrid has established an information security management program with designated roles and responsibilities. The program encompasses risk discovery, research, evaluation, resolution, and monitoring phases. Zettagrid’s controls are validated through independent certifications and audits.
The implementation of controls to protect information assets is a shared responsibility between Zettagrid and ARIs. Zettagrid’s compliance reports are available to customers to support their control evaluation and verification procedures.
Incident Management
Zettagrid has implemented a formal, documented incident response policy and program. This includes mechanisms for detection, escalation, containment, eradication, recovery, and post-incident review. Zettagrid tests its incident response plans regularly.
Critically, Zettagrid’s SFOA includes specific Cyber Security Incident provisions (clause 4.13) that directly support an ARI’s CPS 234 obligations. Zettagrid will notify affected customers within 8 Business Hours of becoming aware of a Cyber Security Incident (cl 4.13.2), comply with the NDB scheme under the Privacy Act 1988 (cl 4.13.4), and provide access to relevant information for regulatory authorities investigating a specific incident (cl 4.13.6).
Zettagrid considers the ARI’s notification to APRA as the ARI’s responsibility. Zettagrid’s 8 Business Hour notification commitment provides ARIs with sufficient time to assess and notify APRA within the 72-hour window required by CPS 234.
Testing Control Effectiveness
Zettagrid has established a formal audit program that includes regular internal and external assessments to validate the implementation and operating effectiveness of its security controls. This includes independent penetration testing and security assessments.
Zettagrid considers the testing of information security controls as a shared responsibility. Zettagrid’s compliance reports and certifications provide evidence of control effectiveness for Zettagrid’s portion of shared responsibilities.
Internal Audit
Zettagrid’s compliance reports are made available to customers to enable them to evaluate Zettagrid’s controls. These reports can be used by an ARI’s internal audit function to assess the information security control assurance provided by Zettagrid as a third party.
APRA Notification
CPS 234 requires ARIs to notify APRA as soon as possible (within 72 hours) after becoming aware of a material information security incident. Zettagrid’s contractual commitment to notify affected customers within 8 Business Hours of becoming aware of a Cyber Security Incident (SFOA cl 4.13.2) ensures ARIs receive timely information to meet this obligation. Zettagrid also complies with the Notifiable Data Breaches scheme (SFOA cl 4.13.4) and provides regulatory authority access in relation to specific incidents (SFOA cl 4.13.6).
Zettagrid considers the ARI’s notification to APRA as the ARI’s responsibility. Zettagrid provides customers with the information needed to meet their APRA notification obligations.
How Zettagrid Helps Customers Meet Their APRA Obligations
Zettagrid provides the following resources to support ARIs in meeting their CPS 230 and CPS 234 obligations:
Resource | Description |
Standard Terms & Conditions | Zettagrid’s SFOA General Terms and Conditions, publicly available at https://www.zettagrid.com/terms/ , address the key elements required by CPS 230 including service levels (cl 3.14), liability, termination, confidentiality, data ownership (cl 4.2), data sovereignty (cl 4.6), cybersecurity shared responsibility (cl 3.5), and cyber security incident management (cl 4.13). ARIs should review these terms as part of their CPS 230 due diligence. |
Service Level Agreements | Defined availability SLA targets with defined tiered service level rebates. |
Security Documentation | Information about Zettagrid’s security controls, practices, and infrastructure available on request. |
Compliance Certifications | ISO/IEC 27001 certification and relevant audit reports available through your account manager. |
Incident Notification | Contractual commitment to notify affected customers within 8 Business Hours of a Cyber Security Incident (SFOA cl 4.13.2), NDB scheme compliance (cl 4.13.4), and regulatory authority access for specific incidents (cl 4.13.6). |
Account Management | Dedicated account management to assist with due diligence queries, audit requests, and compliance-related questions. |
Next Steps
Each organisation’s compliance journey is unique. To successfully complete your assessment, you should understand your current state, the target state, and the transition required to achieve compliance.
For ARIs using Zettagrid services, recommended next steps include:
Contact your Zettagrid account manager to discuss your specific CPS 230 and CPS 234 compliance requirements
Request copies of relevant Zettagrid security certifications and audit reports
Review Zettagrid’s standard terms and conditions against your CPS 230 checklist
Conduct your own risk assessment of Zettagrid services as part of your service provider management framework
Document how Zettagrid’s controls, combined with your own controls, meet CPS 234 requirements under the shared responsibility model
For further information or assistance, please contact your Zettagrid account manager or email support@zettagrid.com.