Compliance crosswalk · APRA CPS 230
APRA CPS 230 (Australia) - email + domain subset - email + domain controls, mapped to Wiredepth
Framework version: In force since 1 July 2025; explicit service-provider + critical-operations requirements
Scope note.CPS 230 is a broad operational-risk-management standard - business continuity, critical operations, service-provider risk, change management. This crosswalk maps only the email + domain controls subset. For the full standard, see APRA's CPS 230 + CPG 230 guidance directly. We don't interpret clauses beyond our domain-posture + email lane.
Who this is for. APRA-regulated entities: ADIs, insurers, super funds, and registered RSEs. CPS 230 replaced the older CPS 232 (Business Continuity Management) + extended it with service-provider arrangements. Effective 1 July 2025 means most entities are still in the first compliance cycle - budget cycles are live, internal-audit teams are testing controls ahead of APRA examinations.
Why email + domain are in scope. Email is identified by most APRA-regulated entities as a critical operation under CPS 230 paragraph 36 (services without which the entity cannot serve customers). Customer-facing email-sending domains are critical information assets. Service providers handling that mail (Microsoft 365, Google Workspace, SendGrid, Mailgun, etc.) are explicitly in scope as service-provider arrangements (paragraphs 47+).
Clause-by-clause mapping
Each row maps a specific APRA CPS 230requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
Para. 13 (Operational risk management framework) Monitoring | Maintain an operational risk management framework. Includes identifying + assessing operational risks - which the entity must do at least annually. Email-borne risk (phishing, BEC, brand impersonation) is named in CPG 230. | Continuous DMARC / SPF / DKIM / MTA-STS posture monitoring + brand watchlist provide the measurable inputs to the annual operational risk assessment. Quarterly trend reports document the posture-over-time trail. |
Para. 36 (Critical operations identification) Inventory | Identify processes that, if disrupted, would have material impact on the entity, its customers, or the financial system. Customer-facing email + domain reachability is on most entities' critical-operations list. | Continuous monitoring of mail-delivery infrastructure + transmission encryption (MTA-STS) + sender reputation evidences both the inventory + the operational continuity posture. |
Para. 47-52 (Service provider arrangements) Inventory | Maintain comprehensive arrangements with service providers - including identification, risk assessment, and ongoing monitoring. Email-sending vendors authorized in your DNS are explicit service-provider arrangements. | Vendor consolidation audit inventories every third party authorized in SPF / DKIM / MX / DMARC. Per-vendor blast-radius rating quantifies the operational risk posture each one introduces. |
Para. 50 (Service provider monitoring) Monitoring | Monitor service-provider performance on an ongoing basis. Includes the security posture of service providers handling regulated functions. | Vendor monitoring (Wiredepth Pro+) tracks each authorized vendor's own DMARC / TLS / domain posture and alerts on regression. The "third-party security posture changed" alert is the CPS 230 evidence. |
Para. 54-57 (Material service provider arrangements) Inventory | For material service providers, additional requirements apply: notification to APRA before entering or exiting the arrangement; deeper risk assessment; documented exit strategies. | De-authorization guides (/docs/deauthorize) cover the technical-execution side of exit strategies for the 10 most common email-sending vendors. Pairs with the contractual exit-planning the legal/procurement team owns. |
Para. 65 (Critical operations - business continuity) Monitoring | For each critical operation, define a tolerance level for disruption + maintain a business continuity plan tested at least annually. | Email-delivery posture trend reports (DMARC pass rate, MTA-STS enforcement, blocklist coverage over time) provide the measurable input to business-continuity tolerance reviews for the email-as-critical-operation scope. |
What auditors actually look at
What APRA examiners + internal auditors specifically look at when CPS 230 + email/domain intersect:
- Service-provider inventory aligned with what's authorized in DNS.Every vendor in your SPF / DKIM / MX should appear in your service-provider register. A vendor in DNS that isn't in your register is a documentation gap; a register entry not in DNS is a housekeeping flag.
- Documented exit strategy for material email-sending vendors (paragraph 56). Often missing - entities have onboarding processes but no documented de-authorization runbook. Our /docs/deauthorize guides fill the technical-execution half.
- Tolerance levels for email-disruption events. How long can your customer-facing email be down or compromised before it's material? Most entities haven't formalised this - paragraph 65 expects they do.
- Pre-arrangement APRA notification for new material service providers (paragraph 54). Adding a new email-sending vendor to a customer-facing domain may trigger this. Most teams onboard SaaS vendors without notifying compliance; CPS 230 makes that a gap.
- Annual testing of critical-operation continuity (paragraph 65). For email, this looks like: documented test scenarios + measurable outcomes. Vendor monitoring with continuous evidence streamlines this.
Generate a APRA CPS 230-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a APRA CPS 230 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.