Skip to main content

Continuous Controls Assurance for APRA Regulated Workloads

Gain clear and attestable insights into the security, risk and compliance posture of your APRA regulated workloads hosted on AWS. Always on, always assured, we deliver enterprise-level security to keep your business operations safe 24/7.

Talk to an expert

Who we work with

Continuous Controls Assurance made simple.

Ongoing, proactive approach to risk management, reducing vulnerabilities and enhancing the robustness of your organisation.

Save costs by optimising business processes, reducing the need for traditional audits, and preemptively preventing losses.

Enhance transparency by providing a clear, ongoing view into business operations, building trust among stakeholders, and ensuring compliance.

What is Continuous Controls Assurance?

Through a process of defining key information security Objectives and Key Results, Key Risk Indicators and Key Performance Indicators in a normalised, machine readable format, we can map these to security controls catalogues and standards and implement continuous controls effectiveness testing and reporting with retention of evidence to substantiate test conclusions.

Continuous controls effectiveness testing and reporting helps organisations maintain visibility of their risk position despite the rate of technology and threat landscape change prevalent in modern enterprises.

Leading and lagging indicators provide insights into current and future risk posture by measuring the performance of operational security capabilities and security improvement programs and predicting changes that can guide prioritisation and investment decisions.

By normalising and mapping data from multiple controls frameworks, baselines and higher level standards, guidelines and best practices, objective, consistent and actionable data is made available to business stakeholders ranging from board risk committees, executive leadership teams, security governance forums (service owners and control owners) and business unit executives.


A continuous controls assurance testing and reporting capability
will provide your organisation with the following key benefits:

  • Make the right security and risk information available to the right people at the right time to improve decision making and manage risk
  • Introduce consistent controls effectiveness testing and retention of evidence to support external audits and assessments
  • Measure the performance of security improvement programs and operational security capabilities in real-time
  • Reduce time and effort associated with conducting manual security assessments
  • Predict changes in risk position to guide prioritisation and investment decisions in a threat landscape where continuous change is becoming the norm
  • Accelerate innovation with real time and actionable risk and security posture information so that security defects can be addressed as early as possible in the development lifecycle

Why Continuous Controls Assurance?

Regulatory Compliance

Need for a holistic technology based approach to meet a diverse and often unique range of regulatory requirements.

Executive Visibility

Provide executives with clarity and insight to support strategic decision making.

Operational Complexity

Costly and ineffectively implemented security tools.
Ever increasing complexity of the control environment.

Continual Change

Respond quickly to changing needs – hackers don’t wait!
Automatically picking up blind spots through an automated capability.

Cloud Adoption

Visibility and risk management across the cloud portfolio from platform to applications services.

Security Insights

Clarity and business insights to drive change and the move to a secure by design culture.

Manual periodic assessment processes, (often supported by dreaded excel spreadsheets), are expensive, ineffective and can impede innovation and competitiveness by introducing delays to digital transformation initiatives.

If you are using spreadsheets to report on information security controls effectiveness you are lagging behind your competitors.

An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. Findings from the APRA CPS 234 tripartite assessment of a quarter of APRA’s regulated entities (~24%) published in July 2023 highlight that in many cases, the testing programs of entities are incomplete, inconsistent, lack independence and do not provide adequate assurance for management and the Board.

Internal security teams are struggling to address the complexity of reporting control effectiveness across a range of security controls catalogues and baselines such as NIST 800-53, ISO 27002, AWS Foundational Security Best Practices (FSBP), Microsoft cloud security benchmark (MCSB), PCI DSS and higher level standards, guidelines and best practices used to manage cybersecurity risk such as APRA CPS 234, CPS 232, CPG 234 and others.

"We engaged CMD Solutions Managed Service team to uplift and operate our environment. The relationship with CMD has substantially improved our risk profile through improved monitoring and alerting, automation pipelines and DevOps practices. The highly skilled team of Site Reliability engineers combined with CMD's 'runCMD' platform has reduced our total cost of ownership of operating our environment in the Cloud."

Danny BosevskiCareSouth Everyday | IT and Communications Manager

We know our numbers


Team members




Projects delivered


AU/NZ Work Hubs

Get in touch

Please enable JavaScript in your browser to complete this form.

We’re always keen to start new conversations on using technology to impact people in a positive way.

We pursue technologies that change the way our clients do business in the real world. We bring together emerging technologies with creative design and industry understanding to positively impact how your business works.

Australia: 1300 505 240
New Zealand: 0800 449 290