<!-- This is the markdown version of https://www.fixinc.io/disciplines/iso-22301-gap-assessment-for-cps-230-compliance -->
<!-- Canonical URL: https://www.fixinc.io/disciplines/iso-22301-gap-assessment-for-cps-230-compliance -->

# ISO 22301 Gap Assessment

> Align your operational resilience framework with both ISO 22301 and CPS 230. This gap assessment identifies where APRA-regulated entities fall short on business continuity, critical operations, and service provider oversight.

*This content is available in full at: https://www.fixinc.io/disciplines/iso-22301-gap-assessment-for-cps-230-compliance*

CPS 230 requires APRA-regulated entities to prove their ability to maintain critical operations within tolerance levels and manage material service providers. Without a structured gap assessment, organisations risk non-compliance, governance weaknesses, and regulatory intervention. This assessment provides the evidence and direction needed to demonstrate readiness and resilience.

A targeted gap analysis maps your current state against ISO 22301 and CPS 230 requirements. The output includes a compliance readiness report, prioritised actions, and guidance for uplifting processes around tolerance levels, critical operations, and service provider arrangements.

## Delivery Approach

The assessment follows a four-step methodology:

1. **Plan**: Agile, first-principles planning ensures a smooth rollout of your refreshed program
2. **Do**: ISO 22301 Gap Assessment for CPS 230 Compliance is rolled out smoothly at your organisation
3. **Check**: Your assessment is draft until validated, this step addresses validation requirements
4. **Act**: Your team and the advisory team will be ready when your assessment is activated in real-life scenarios

## What the Assessment Covers

A gap assessment typically reviews:

- Business continuity governance and frameworks
- Registers of critical operations and tolerance levels
- Service provider management policies and material provider registers
- Testing and review programmes (including scenario exercises)

The current state is mapped directly to CPS 230 compliance obligations.

## Benefits of Combined ISO 22301 and CPS 230 Assessment

ISO 22301 provides a global best-practice framework for business continuity, while CPS 230 sets the local regulatory baseline. A combined assessment ensures your programme is not only compliant with APRA requirements but also resilient against international benchmarks, giving your organisation competitive strength and regulator confidence.

## Board Accountability Support

Under CPS 230, Boards must approve BCPs, tolerance levels, and service provider management policies. A gap assessment gives the Board a clear view of compliance readiness and highlights any deficiencies. Outputs are prepared in a format that supports Board decision-making and APRA review.

## Assessment Frequency

A gap assessment should be performed before CPS 230 takes effect and repeated when your operational risk profile changes, for example, after acquisitions, technology shifts, or new material outsourcing arrangements. Both initial and periodic reassessments are available to maintain ongoing compliance.

## Engagement Process

**Initial Consultation:**

- A link will be sent via email from the Advisory team with scheduling options
- Choose a time convenient for you via phone, Teams, Zoom, or in person
- 30-45 minute discussion to understand your objectives and answer questions
- Proposal delivered within 24 hours detailing the scope of work
- Final quote provided following discussion, typically within one week

**Delivery Phases:**

- **Review and Health Check**: Deep review of existing arrangements with benchmarks formed from best practice and ISO standards
- **Design and Develop**: Build out the gap assessment component of your CPS 230 Compliance programme to the highest quality available
- **Validate**: Test and validate findings where appropriate, providing tangible evidence of capability and maturity to stakeholders
- **Maintain**: Build a plan to ensure your gap assessment runs annually to maintain compliance momentum

## Related CPS 230 Compliance Services

- [Business Impact Analysis for CPS 230](https://docs.fixinc.io/disciplines/business-impact-analysis-for-cps-230.md): Identify critical operations, dependencies, and tolerance levels for APRA-regulated entities
- [ISO 22301-Aligned BIA Review for CPS 230](https://docs.fixinc.io/disciplines/iso-22301aligned-bia-review-for-cps-230.md): Review and align existing BIA to APRA requirements
- [Business Continuity Plan for CPS 230 Compliance](https://docs.fixinc.io/disciplines/business-continuity-plan-for-cps-230-compliance.md): Develop BCPs that protect critical operations and define tolerance levels
- [Business Continuity Training for CPS 230 Compliance](https://docs.fixinc.io/disciplines/business-continuity-training-for-cps-230-compliance.md): Tailored training to meet CPS 230 obligations
- [Desktop Scenario Exercises for CPS 230](https://docs.fixinc.io/disciplines/desktop-scenario-exercises-for-cps-230.md): Test ability to maintain critical operations within tolerance levels
- [Business Continuity Program Review and Audit for CPS 230](https://docs.fixinc.io/disciplines/business-continuity-program-review-and-audit-for-cps-230.md): Independent reviews and audits assessing compliance and readiness
- [ISO 22301-2019 Internal Audit Support for CPS 230](https://docs.fixinc.io/disciplines/iso-223012019-internal-audit-support-for-cps-230.md): Support for internal audit teams testing business continuity controls

## Frequently Asked Questions

**What is a CPS 230 ISO 22301 Gap Assessment?**

A CPS 230 ISO 22301 Gap Assessment evaluates how well your organisation's business continuity and operational resilience practices align with both the international ISO 22301 standard and APRA's Prudential Standard CPS 230. It highlights compliance gaps and provides a clear roadmap for remediation.

**Why is this assessment important for APRA-regulated entities?**

CPS 230 requires APRA-regulated entities to identify weaknesses in business continuity, critical operations management, and service provider oversight. A gap assessment ensures these areas are tested against global best practice (ISO 22301) and local compliance requirements, reducing the risk of penalties and regulatory intervention.

**How is the assessment delivered?**

The assessment benchmarks your resilience programme against ISO 22301 and CPS 230, identifying shortfalls in BCPs, BIAs, audits, and service provider arrangements. A prioritised action plan, board-ready reporting, and practical remediation steps tailored to financial services entities are provided.

---

**View this page online:** https://www.fixinc.io/disciplines/iso-22301-gap-assessment-for-cps-230-compliance

For program inquiries: [Contact Fixinc](https://www.fixinc.io/contact) | info@fixinc.org | +64 800 349 462