For vendors selling to APRA-regulated institutions

Every enterprise deal comes with a
200-question security review.

SIG, CAIQ, institution due-diligence packs, CPS 230 asks. And they’re getting harder. Answer 10 questions to see where you stand, then get the full set of what APRA-regulated institutions actually ask their vendors.

The slowest step in your sales cycle.

If you sell software to banks, insurers or large enterprises in Australia, you know the drill. A deal reaches “just complete our security questionnaire” and stalls for two weeks while someone copy-pastes from old answers. CPS 230 (1 July 2026) is making the questions harder and more frequent, and a weak response can lose the deal.

The work, done for you.

Know what’s coming

The real questions Australian institutions ask vendors, so the questionnaire isn’t a surprise that stalls your deal.

Answer like a grown-up

How a well-governed vendor responds to each: what reviewers want to see, and the red flags that sink you.

Close faster

Turn the security review from a two-week scramble into a step you’re ready for.

10 questions. See where you stand.

These are drawn from the questions APRA-regulated institutions actually put to vendors during procurement. Answer honestly — your score tells you what to fix before the next deal.

0/10

Q1

Do you have a documented Business Continuity Plan you can share with an institution on request?

Q2

Have you tested your BCP in the last 12 months with evidence you can produce to a reviewer?

Q3

Can you provide a SOC 2 Type II, ISO 27001, or equivalent third-party assurance report?

Q4

Do you maintain a register of subcontractors whose failure could impact your service delivery?

Q5

Can you provide documented Recovery Time and Recovery Point Objectives for your service?

Q6

Do you have a defined incident notification process with committed timeframes?

Q7

Do you have a nominated operational risk contact your clients can reach during an incident?

Q8

Do your standard contracts include provisions for client audit rights?

Q9

Have you reviewed your contract terms against the mandatory clauses CPS 230 now requires?

Q10

Can you produce a data residency map showing where client data is stored and processed?

Answer all 10 questions to see your score.