APRA CPS 230

Operational Risk Management

Framework

APRA CPS 230

Authority

APRA (Australian Prudential Regulation Authority)

Mapped Controls

About APRA CPS 230

Australian Prudential Regulation Authority - Prudential Standard CPS 230

SCF Control Crosswalk Mapping

Showing 73 SCF controls mapped to APRA CPS 230

SCF Control	Control Name	Domain	APRA CPS 230 Requirement	Weight
`GOV-01.1`	Steering Committee & Program Oversight	Cybersecurity & Data Protection Governance	N/A	7
`GOV-01.2`	Status Reporting To Governing Body	Cybersecurity & Data Protection Governance	N/A	5
`GOV-04`	Assigned Cybersecurity & Data Protection Responsibilities	Cybersecurity & Data Protection Governance	N/A	10
`GOV-04.1`	Stakeholder Accountability Structure	Cybersecurity & Data Protection Governance	N/A	8
`GOV-04.2`	Authoritative Chain of Command	Cybersecurity & Data Protection Governance	N/A	7
`GOV-06`	Contacts With Authorities	Cybersecurity & Data Protection Governance	N/A	5
`GOV-14`	Business As Usual (BAU) Secure Practices	Cybersecurity & Data Protection Governance	N/A	6
`GOV-15`	Operationalizing Cybersecurity & Data Protection Practices	Cybersecurity & Data Protection Governance	N/A	9
`GOV-15.1`	Select Controls	Cybersecurity & Data Protection Governance	N/A	8
`GOV-15.5`	Monitor Controls	Cybersecurity & Data Protection Governance	N/A	8
`BCD-01`	Business Continuity Management System (BCMS)	Business Continuity & Disaster Recovery	N/A	10
`BCD-01.4`	Recovery Time / Point Objectives (RTO / RPO)	Business Continuity & Disaster Recovery	N/A	5
`BCD-02`	Identify Critical Assets	Business Continuity & Disaster Recovery	N/A	9
`BCD-02.1`	Resume All Missions & Business Functions	Business Continuity & Disaster Recovery	N/A	8
`BCD-02.2`	Continue Essential Mission & Business Functions	Business Continuity & Disaster Recovery	N/A	8
`BCD-02.3`	Resume Essential Missions & Business Functions	Business Continuity & Disaster Recovery	N/A	8
`BCD-04`	Contingency Plan Testing & Exercises	Business Continuity & Disaster Recovery	N/A	6
`CHG-02`	Configuration Change Control	Change Management	N/A	8
`CHG-02.4`	Automated Security Response	Change Management	N/A	5
`CHG-04`	Access Restriction For Change	Change Management	N/A	8
`CHG-04.1`	Automated Access Enforcement / Auditing	Change Management	N/A	3
`CHG-04.2`	Signed Components	Change Management	N/A	3
`CHG-04.3`	Dual Authorization for Change	Change Management	N/A	6
`CHG-04.4`	Permissions To Implement Changes	Change Management	N/A	6
`CHG-04.5`	Library Privileges	Change Management	N/A	8
`CHG-05`	Stakeholder Notification of Changes	Change Management	N/A	9
`CHG-06.1`	Report Verification Results	Change Management	N/A	5
`CHG-07`	Emergency Changes	Change Management	N/A	9
`CHG-07.1`	Documenting Emergency Changes	Change Management	N/A	7
`CPL-01`	Statutory, Regulatory & Contractual Compliance	Compliance	N/A	10
`CPL-01.1`	Non-Compliance Oversight	Compliance	N/A	9
`CPL-02`	Cybersecurity & Data Protection Controls Oversight	Compliance	N/A	10
`CPL-02.1`	Internal Audit Function	Compliance	N/A	5
`CFG-01.1`	Assignment of Responsibility	Configuration Management	N/A	5
`CFG-02.3`	Retention Of Previous Configurations	Configuration Management	N/A	3
`CFG-02.5`	Configure Technology Assets, Applications and/or Services (TAAS) for High-Risk Areas	Configuration Management	N/A	8
`CFG-02.7`	Approved Configuration Deviations	Configuration Management	N/A	9
`CFG-02.8`	Respond To Unauthorized Changes	Configuration Management	N/A	9
`CFG-02.9`	Baseline Tailoring	Configuration Management	N/A	9
`CFG-03`	Least Functionality	Configuration Management	N/A	10
`CFG-03.1`	Periodic Review	Configuration Management	N/A	8
`CFG-03.2`	Prevent Unauthorized Software Execution	Configuration Management	N/A	7
`CFG-03.4`	Split Tunneling	Configuration Management	N/A	8
`CFG-04`	Software Usage Restrictions	Configuration Management	N/A	9
`CFG-04.2`	Unsupported Internet Browsers & Email Clients	Configuration Management	N/A	7
`CFG-05`	User-Installed Software	Configuration Management	N/A	10
`CFG-05.1`	Unauthorized Installation Alerts	Configuration Management	N/A	8
`CFG-05.2`	Restrict Roles Permitted To Install Software	Configuration Management	N/A	9
`CFG-06`	Configuration Enforcement	Configuration Management	N/A	7
`CFG-06.1`	Integrity Assurance & Enforcement (IAE)	Configuration Management	N/A	3
`CFG-07`	Zero-Touch Provisioning (ZTP)	Configuration Management	N/A	8
`CFG-08`	Sensitive / Regulated Data Access Enforcement	Configuration Management	N/A	7
`CFG-08.1`	Sensitive / Regulated Data Actions	Configuration Management	N/A	7
`IRO-01`	Incident Response Operations	Incident Response	N/A	9
`IRO-02`	Incident Handling	Incident Response	N/A	10
`IRO-10`	Incident Stakeholder Reporting	Incident Response	N/A	9
`PRM-01`	Cybersecurity & Data Protection Portfolio Management	Project & Resource Management	N/A	8
`PRM-02`	Cybersecurity & Data Protection Resource Management	Project & Resource Management	N/A	8
`PRM-03`	Allocation of Resources	Project & Resource Management	N/A	8
`RSK-01`	Risk Management Program	Risk Management	N/A	10
`RSK-01.3`	Risk Tolerance	Risk Management	N/A	9
`RSK-01.4`	Risk Threshold	Risk Management	N/A	9
`RSK-01.5`	Risk Appetite	Risk Management	N/A	9
`RSK-04`	Risk Assessment	Risk Management	N/A	10
`RSK-06`	Risk Remediation	Risk Management	N/A	10
`TPM-01`	Third-Party Management	Third-Party Management	N/A	10
`TPM-01.1`	Third-Party Inventories	Third-Party Management	N/A	8
`TPM-02`	Third-Party Criticality Assessments	Third-Party Management	N/A	9
`TPM-03.2`	Limit Potential Harm	Third-Party Management	N/A	9
`TPM-04.1`	Third-Party Risk Assessments & Approvals	Third-Party Management	N/A	9
`TPM-05`	Third-Party Contract Requirements	Third-Party Management	N/A	10
`TPM-05.7`	Break Clauses	Third-Party Management	N/A	9
`TPM-08`	Review of Third-Party Services	Third-Party Management	N/A	9