Know what’s coming
The real questions Australian institutions ask vendors, so the questionnaire isn’t a surprise that stalls your deal.
For vendors selling to APRA-regulated institutions
SIG, CAIQ, institution due-diligence packs, CPS 230 asks. And they’re getting harder. Answer 10 questions to see where you stand, then get the full set of what APRA-regulated institutions actually ask their vendors.
The problem
If you sell software to banks, insurers or large enterprises in Australia, you know the drill. A deal reaches “just complete our security questionnaire” and stalls for two weeks while someone copy-pastes from old answers. CPS 230 (1 July 2026) is making the questions harder and more frequent, and a weak response can lose the deal.
What it does
The real questions Australian institutions ask vendors, so the questionnaire isn’t a surprise that stalls your deal.
How a well-governed vendor responds to each: what reviewers want to see, and the red flags that sink you.
Turn the security review from a two-week scramble into a step you’re ready for.
Vendor readiness check
These are drawn from the questions APRA-regulated institutions actually put to vendors during procurement. Answer honestly — your score tells you what to fix before the next deal.
Q1
Do you have a documented Business Continuity Plan you can share with an institution on request?
Q2
Have you tested your BCP in the last 12 months with evidence you can produce to a reviewer?
Q3
Can you provide a SOC 2 Type II, ISO 27001, or equivalent third-party assurance report?
Q4
Do you maintain a register of subcontractors whose failure could impact your service delivery?
Q5
Can you provide documented Recovery Time and Recovery Point Objectives for your service?
Q6
Do you have a defined incident notification process with committed timeframes?
Q7
Do you have a nominated operational risk contact your clients can reach during an incident?
Q8
Do your standard contracts include provisions for client audit rights?
Q9
Have you reviewed your contract terms against the mandatory clauses CPS 230 now requires?
Q10
Can you produce a data residency map showing where client data is stored and processed?
Answer all 10 questions to see your score.