CPS 234 readiness for AU AWS startups: the cheap version

Most early-stage Australian SaaS teams do not need to be APRA-regulated. They just sell into someone who is — a bank, an insurer, a super fund — and suddenly procurement wants evidence that their information security posture will not become a CPS 234 problem for the regulated counterparty.

This guide is the shape of the work we do for those teams. It assumes:

• You are on AWS (single account or a small Organization).
• You have between 5 and 50 engineers.
• You do not currently have a CISO or a security team.
• You have lost a deal — or are about to lose one — to a security questionnaire that you cannot answer without lying.

What CPS 234 actually expects of your counterparty

CPS 234 obliges APRA-regulated entities to maintain information security capability commensurate with the size and threat exposure of their operations, and to manage information security risk arising from third-party providers — that is, you. They translate that into questionnaires (often based on CAIQ, ISO 27001 controls, or their own internal framework). The questions cluster around:

1. Governance — who is accountable for security, and what do they own?
2. Identity & access — least privilege, MFA, joiner/mover/leaver.
3. Data protection — encryption at rest and in transit, key management, data classification.
4. Vulnerability management — patching, scanning, remediation SLAs.
5. Logging & detection — what gets logged, where, who watches it.
6. Incident response — playbooks, notification timelines, post-incident review.
7. Third parties — your subprocessor list, your DPAs, your concentration risk.

If you cannot answer all seven categories with specific controls and evidence, you are not ready.

The 4-week shape

We package this as a fixed-scope sprint. Roughly:

Week 1 — discovery and gap analysis

• Read your AWS Organization, IAM policies, and current detection coverage.
• Interview engineering leadership and the founder accountable for security.
• Map your current state against the seven question clusters above.
• Output: a written gap analysis with a prioritised remediation list.

Week 2 — foundational controls

• Stand up AWS GuardDuty and Security Hub across the Organization.
• Lock down the root account; enforce MFA across IAM Identity Center.
• Enable CloudTrail org-wide with a write-once log archive.
• Define and roll out an encryption key strategy (KMS CMKs, S3 bucket defaults, RDS at-rest encryption).
• Output: working controls in your AWS, Terraform modules in your repos.

Week 3 — process and policy

• Write the policies you do not have: information security policy, acceptable use, incident response, access control, vendor management, data classification, encryption, logging.
• These are short and specific — not 40-page Word documents. They reference the controls that actually exist in your environment.
• Output: a policy pack, a risk register, and an asset inventory.

Week 4 — evidence and rehearsal

• Build the evidence pack: control descriptions plus screenshots, log samples, and Terraform module references.
• Rehearse the questionnaire with your founder so they can answer it from memory.
• Output: a CAIQ-shaped response document and a 30-minute walkthrough that the engineering lead can deliver to a procurement team.

What we deliberately do not do in 4 weeks

• We do not get you ISO 27001 certified. That is a 3-6 month engagement with a different shape (we have a separate package for it).
• We do not stand up a 24x7 SOC. You almost certainly do not need one yet; GuardDuty findings into a Slack channel with documented triage is fine for your size.
• We do not write a SOC 2 report. SOC 2 is an attestation that takes time windows, an auditor, and ongoing operation of controls.
• We do not implement Essential Eight Maturity Level 3. Most early-stage SaaS targets ML1 with a credible path to ML2 — we will document that path, not pretend you are already there.

When this is and isn't enough

This shape is enough when your counterparty asks "describe your security posture" and accepts evidence-backed answers. It is not enough when:

• Your counterparty is contractually obliged to flow down full ISO 27001 certification, SOC 2 Type II, or PCI DSS attestation.
• Your data flows include card data, PHI, or health records subject to My Health Records Act controls.
• Your contract requires named, monitored security personnel on call.

In those cases the 4-week sprint is the input to a 3-6 month certification engagement, not a substitute for it.

What it costs

We list the AWS Multi-Account Security Baseline at $22k+ for the controls in week 2. The full 4-week sprint with policy, evidence, and rehearsal lands in the $35-50k range, depending on environment complexity. For most teams this is one or two lost deals' worth of revenue, recovered.