Streamlining CPS 234 Compliance with MRP

Executive Summary

In the face of stringent regulatory requirements outlined in APRA’s CPS 234, Active Super, a prominent superannuation fund, sought an effective solution to enhance their information security framework. Partnering with Morrisec to implement the Morrisec Risk Platform (MRP), Active Super aimed to streamline compliance processes, strengthen risk management, and reduce audit complexities across the business. The adoption of MRP led to a significant reduction in audit preparation time, improved alignment between security controls and assets, and a more proactive approach to risk management. This case study delves into the challenges Active Super faced, the solutions provided by MRP, and the measurable benefits achieved through this collaboration.

Introduction

Compliance with APRA CPS 234 presents significant challenges for regulated entities, particularly when aligning security controls, assets, and risk management processes. Active Super, a leading superannuation fund, faced these complexities firsthand, particularly when undergoing their CPS 234 tripartite audit. Their experience, coupled with similar stories across a gamut of industries and compliance requirements, was the catalyst for Morrisec to develop MRP, a robust solution to streamline compliance to CPS 234 and other critical standards.

The Challenge: Managing CPS 234 Complexity

CPS 234 requires APRA-regulated entities to maintain robust information security capabilities, demonstrate control effectiveness, and ensure third-party security assurance. However, organisations often struggle with:

• Aligning security controls with assets and risks in a structured, auditable manner. Most organisations leverage outdated, disjointed spreadsheets.
• Demonstrating security maturity to both APRA and external auditors clearly and defensibly.
• Maintaining an up-to-date risk posture while integrating ongoing security improvements.

David Morrison, MRP’s initial developer, and Eleni Cacomanolis, who led Active Super’s cybersecurity governance initiatives, identified the need for a centralised, dynamic solution to efficiently manage CPS 234 obligations.

MRP as a Compliance Enabler

Active Super adopted MRP to address these challenges by providing a structured, auditable framework for CPS 234 compliance. David Morrison demonstrated MRP’s capabilities, focusing on key compliance areas, including:

Reducing Audit Time & Investment

With simple and fast access to cross-linked artefacts, controls, assets, risks and third-party risk management, the time spent preparing for and demonstrating compliance to auditors is dramatically reduced, including:

• Risks, controls, and assets linked showing security measures actively reducing risk.
• Control implementation and testing documentation, ensuring compliance is not just a checkbox exercise.
• Tracking audits and assessments and managing findings to ensure ongoing security improvements.
• Artefacts and proof of compliance, linking documentation to controls for audit transparency.

Self-Audit Capabilities

MRP includes all the content and structure around CPS 234, enabling organisations to:

• Perform a self-audit upon first use to assess their compliance with each control, reducing external consultancy requirements and costs.
• Build an asset register directly within MRP, linking assets to controls and risks.
• Record and track supplier assessments and identified risks, ensuring third-party compliance.
• Document control testing and results, providing an auditable history of compliance efforts.

Additionally, MRP’s “assess once, comply many” methodology reduces redundant assessments by mapping a single control test across multiple frameworks. For example, Active Super is also aligned with ISO/IEC 27001, and MRP enabled them to simultaneously manage CPS 234 and ISO/IEC 27001 compliance. More impressively, MRP’s assess once, comply many feature allowed Active Super to test a control against CPS 234 and if ISO/IEC 27001 had a matching control, MRP would automatically update both compliance records.

Comprehensive Asset Management

MRP provides a centralised and structured approach to asset management, ensuring all critical information security assets are identified, classified, and monitored. Key capabilities include:

• Asset register captures and maintains an up-to-date inventory of all information assets, including critical details such as confidentiality, integrity and availability ratings, RTO and RPO requirements, and types of data stored or processed by the asset.
• Linking assets to risks and controls ensures visibility into the security posture of each asset.
• Ability to perform business impact assessments (BIA) directly within MRP with automatic updating of asset information based on findings from the BIA.
• Asset lifecycle management tracking changes and risk impacts as assets evolve.

Control Implementation, Testing & Assurance

Implementing and validating security controls are fundamental to organisational security. MRP facilitates this by providing end-to-end management of control implementation, comprehensive testing methodologies, and assurance processes, ensuring controls are effective and aligned with CPS 234 requirements.

• End-to-end control management ensures security controls are mapped, assessed, and tested in alignment with CPS 234 requirements.
• Comprehensive testing methodology is included with all controls, documenting control implementation, testing results, and audit readiness.

Task Automation & Continuous Compliance Monitoring

Efficient management of compliance tasks is crucial for adhering to regulatory standards. MRP’s Task Automation streamlines this process by assigning tasks, setting due dates, and providing automated tracking, ensuring ongoing compliance through regular monitoring and timely updates.

• Automated task management assigns compliance tasks with due dates, owners, and automated tracking.
• Ongoing control validation ensures controls remain effective through periodic testing and updates.
• Exception and gap management identifies non-compliance areas and triggers remediation workflows.
• Filter and prioritise Open vs Closed tasks, providing real-time visibility into compliance gaps and completed work.

Compliance Dashboard & Monitoring

To maintain a robust compliance posture, organisations require real-time insights into their security controls and risk management activities. MRP’s Compliance Dashboard offers a comprehensive view, enabling proactive monitoring and swift identification of potential compliance issues.

• Real-time compliance tracking, reducing reporting overhead.
• Drill-down functionality for specific tasks and risks.
• Control assessment and task creation from the compliance dashboard.

Results: Measurable Compliance Gains

The implementation of MRP led to significant improvements in Active Super’s CPS 234 compliance strategy, including:

• Significant reduction in time spent preparing for CPS 234 audits.
• Clear linkage between security controls, risks, and assets improving audit transparency and providing critical information tripartite auditors required.
• Proactive risk management through automated monitoring and structured risk tracking.
• Stronger third-party governance, ensuring vendors met CPS 234’s stringent security requirements.

Eleni Cacomanolis highlighted the impact of MRP in a recent webinar, stating:

“MRP has completely changed how we approach CPS 234. The ability to map controls, assets, and risks in a structured, auditable way has not only simplified our compliance efforts but also made our security governance far more proactive.”

Looking Ahead: Continuous Improvement with MRP

Active Super continues to enhance its security governance using MRP, leveraging its capabilities to align with evolving regulatory expectations. MRP’s ability to automate and streamline compliance processes ensures that organisations remain audit-ready while continuously strengthening their security posture.

To hear more about Active Super’s journey with MRP, watch excerpts from our webinar featuring Eleni Cacomanolis.

Is your organisation navigating the complexities of CPS 234 compliance? Discover how the Morrisec Risk Platform can simplify your compliance journey, enhance risk management, and reduce audit preparation and engagement time.

Contact Morrisec today to schedule a demonstration and learn how MRP can be tailored to meet your organisation’s specific needs.