For APRA-Regulated Entities

APRA CPS 230 on AWS, Operational Resilience for Australian FinTech

Build a CPS 230-ready AWS workload with documented critical operations tolerances, material service provider register, and tested business continuity plans. ISO 27001:2022 and AWS Advanced Tier Services Partner-certified delivery, ahead of the 1 July 2026 contract compliance deadline.

Book Free CPS 230 Review →Download CPS 230 + AWS Mapping

APRA Prudential Standard1 July 2026

The deadline isn't moving. Your contracts must.

1 Jul

2026 Deadline

100%

Material Providers

Annual

Board Attestation

BCP

Tested Tolerances

By 1 July 2026, every existing material service provider contract must comply with CPS 230, or be renewed compliant.— APRA Prudential Standard CPS 230

In force since

1 Jul 2025

The Problem We Solve

You're an APRA-regulated entity. CPS 230 changes how you operate on AWS.

01, MATERIAL SERVICE PROVIDER REGISTER

Our material service provider register isn't ready and existing AWS contracts may not meet CPS 230 by 1 July 2026.

Paragraph 51 requires submission of the MSP register to APRA. Existing contracts must comply by the earlier of next renewal or 1 July 2026.

02, CRITICAL OPERATIONS TOLERANCES

We can't define our critical operations tolerances because our AWS architecture isn't documented at that level.

CPS 230 requires identification of critical operations and disruption tolerance levels, measured in time, data loss, and financial impact, with stress-tested evidence.

03, BUSINESS CONTINUITY TESTING

Our business continuity testing for severe disruption scenarios feels theoretical, we haven't actually tested.

BCPs must be credible and tested. APRA expects evidence of actual disruption testing, not desktop walkthroughs. Most teams lack the AWS chaos engineering practice to do this properly.

What You'll Get

From scope-uncertainty to APRA-attestation-ready, in three streams.

Stream A · Assessment

Scope of Work

CPS 230 gap assessment against operational risk requirements
Critical operations identification and tolerance mapping
Material service provider register design (APRA template-aligned)
Business continuity plan review and gap analysis
AWS Well-Architected review with CPS 230 overlay

Stream B · Deliverables

Deliverables

Gap assessment report (audit-ready, board-suitable)
AWS reference architecture (multi-region Sydney + Melbourne)
Material Service Provider Register (paragraph 51 template)
Critical operations tolerances matrix with stress-test scenarios
BCP runbook with tested chaos engineering exercises
Annual board attestation evidence package

Stream C · Timeline

Timeline

Assessment: 3 weeks (fixed-fee, no-changes audit)
Implementation: 8-14 weeks (scope-dependent)
Founder + AWS-certified engineer on every engagement
Optional ongoing managed service after handover
Annual CPS 230 refresh available
Pre-July-2026 priority track for tight deadlines

Mini Case Study

How an Australian super fund administrator achieved CPS 230 readiness in 90 days

An Australian super fund administrator with $40B+ AUM had built their AWS workload over 3 years without formal documentation of critical operations or material service provider relationships. With the 1 July 2026 deadline approaching, the board demanded evidence within one quarter.

We ran a 3-week assessment mapping their existing AWS architecture to CPS 230 requirements, identified 8 critical operations needing tolerance definition, and built the MSP register against APRA's paragraph 51 template. The implementation phase brought in Resilience Hub for tolerance testing, FIS for chaos engineering exercises, and a multi-region failover pattern between ap-southeast-2 (Sydney) and ap-southeast-4 (Melbourne).

Within 90 days, the team passed their first internal audit against CPS 230 with zero critical findings, and had run two successful chaos engineering exercises proving their critical operations remained within tolerance during simulated AWS region degradation.

We thought CPS 230 would consume two engineering quarters. HAZERCLOUD compressed it into 90 days without slowing our product team, and the chaos exercises were the most valuable thing we've done this year.— CTO · Australian Super Fund Administrator (anonymized)

Outcomes

Critical operations mapped8/8

Engagement duration12 wks

Tolerance test pass rate100%

Multi-region uptime99.95%

MSP register statusAPRA-ready

Read the full case study

Engagement Options

Transparent. Fixed-fee. Pre-deadline priority track available.

Two engagement modes. Most clients start with the Assessment to baseline their position. Tight pre-July-2026 deadlines can be accommodated with a priority track.

Stage 01

CPS 230 Readiness Assessment

CPS 230 gap assessment across operational risk requirements
AWS reference architecture (SVG + commentary)
Critical operations tolerance mapping
Material service provider register draft
Executive briefing for board / audit committee
1 follow-up call within 30 days

Start with assessment →

Stage 02

CPS 230 Implementation

Full implementation of remediation roadmap
Resilience Hub + Audit Manager configuration
Multi-region failover with tested chaos exercises
MSP register submission package
BCP runbook with stress-test evidence
Annual board attestation framework
Optional: ongoing managed service post-handover

Book scoping call →

FAQ

Questions APRA-regulated entities ask us first.

Don't see your question? Book a 30-minute call and we'll answer it directly.

Book Free CPS 230 Review →

What's the difference between CPS 230 and CPS 234?+

CPS 234 (Information Security) requires you to maintain security capability commensurate with the information assets at risk. CPS 230 (Operational Risk Management) requires you to remain resilient to operational disruptions including those affecting your security. They overlap but don't substitute. Our engagements cover both, mapping AWS controls to each standard.

Is AWS itself CPS 230 compliant?+

AWS is a material service provider you depend on, APRA's CPS 230 makes you accountable for the operational risk of that dependency. AWS publishes a CPS 230 alignment document via AWS Artifact, which you'll cite in your MSP register. But "AWS being aligned" doesn't make your workload CPS 230-compliant, that's your responsibility under the Shared Responsibility Model.

How does ISO 27001 map to CPS 230?+

ISO 27001:2022 controls cover ~75% of CPS 230 requirements out of the box: operational risk framework, supplier management, business continuity, incident management. The remaining 25% is mostly CPS 230-specific tolerance testing, MSP register depth, and APRA-format reporting. We map your existing ISO evidence to specific CPS 230 requirements so you don't duplicate work.

Do we need multi-region within Australia, or is Sydney + Singapore acceptable?+

CPS 230 requires you to demonstrate that critical operations remain within tolerance during severe disruptions. Sydney (ap-southeast-2) + Melbourne (ap-southeast-4) gives you Australian-resident DR with low latency and APRA-friendly data residency. Sydney + Singapore (ap-southeast-1) is technically valid but introduces cross-border data flow considerations that complicate documentation. We recommend Sydney + Melbourne as default for APRA-regulated workloads.

What is a Significant Financial Institution (SFI) and does it apply to us?+

APRA classifies entities as SFI based on size and complexity (e.g., banks above $500B in assets, insurers above $10B). SFIs face higher CPS 230 requirements, especially around critical operations granularity and BCP testing depth. Most APRA-regulated entities are non-SFI and have until July 2026 for some deferred requirements. Our assessment determines your classification and scopes accordingly.

How do we hit the 1 July 2026 contract compliance deadline?+

If your existing AWS contracts predate CPS 230, they must be renegotiated to include the operational risk clauses APRA expects: incident notification, audit rights, exit assistance, sub-contractor management. We provide an APRA-aligned contract amendment template for AWS and your other material service providers. AWS already publishes CPS 230-aligned contract terms, most clients accept those without renegotiation.

Can our existing CPS 234 evidence count toward CPS 230?+

Yes, CPS 234's information security testing evidence is reusable for CPS 230 incident response and operational resilience claims. We map existing CPS 234 testing to specific CPS 230 paragraphs so you can demonstrate continuity rather than duplicating control testing.

Jobin Joseph

Founder & CTO

AWS SA ProDevOps ProSecurity+2

Verify on Credly ↗

Who You'll Actually Work With

This engagement runs through me, personally.

The AWS-certified specialist on your discovery call leads the implementation team on your engagement. No bait-and-switch. No junior-led delivery.

Discovery call: I attend, no exceptions

Architecture sign-off: before any work begins

Weekly review: I'm on every call, every week

Material decisions: go through me first

Deliverable sign-off: my signature, my reputation

30 days post-handoff: direct line to me