CPS 230 Material Service Provider Questionnaire template

What is a CPS 230 Material Service Provider Questionnaire template?

A CPS 230 Material Service Provider (MSP) Questionnaire template is a structured assessment tool designed to help APRA-regulated entities identify, evaluate, and monitor the external providers that support their critical operations or expose them to material operational risks.

Unlike a conventional CPS 230 questionnaire — which is designed to assess an APRA-regulated entity’s governance, resilience framework, and operational risk management — the MSP-specific version focuses exclusively on the third parties that deliver essential services. This makes it a targeted instrument for building and maintaining a complete register of material service providers, as required under CPS 230, and ensuring that these providers meet the resilience, continuity, and compliance standards set out in the Prudential Standard.

Here's a quick guide for understanding the key differences between a CPS 230 MSP questionnaire and a conventional CPS 230 questionnaire:

This template guides APRA-regulated entities through gathering key information from Material Service Providers, such as their risk management controls, business continuity capabilities, incident response procedures, and subcontractor dependencies. The resulting insights enable regulated entities to maintain oversight of external dependencies, identify vulnerabilities, and ensure that service providers continue to meet operational commitments, even during severe disruptions.

By narrowing the scope to material service providers, the questionnaire enables:

• Efficient compliance with CPS 230’s service provider management requirements.
• Deeper due diligence insights into high-impact external relationships.
• More accurate resilience testing of an entity’s extended operational environment.

While using a questionnaire template is not a requirement of the regulation, some formal method of identifying, assessing, and monitoring material service providers is required under CPS 230 — an effort that may be supported by a CPS 230 MSP questionnaire template.

Why is a CPS 230 Material Service Provider Questionnaire template important?

Material service providers play a direct role in the resilience of APRA-regulated entities. If one of these providers fails, experiences a major disruption, or cannot meet agreed-upon service levels, the impact can cascade into critical operations and regulatory non-compliance. CPS 230 recognises this risk by requiring regulated entities to maintain a register of all MSPs, perform due diligence before engagement, and continually monitor performance against resilience obligations.

A CPS 230 MSP Questionnaire template is important because it:

• Supports regulatory compliance: Aligns directly with CPS 230’s requirements for identifying, assessing, and monitoring service providers that support critical operations.
• Standardises vendor assessments: Ensures consistent, repeatable risk assessment process for MSP resilience across all critical services.
• Reveals operational dependencies: Identifies subcontractors, fourth parties, and other dependencies that could affect service continuity.
• Improves business continuity planning: Provides evidence for testing contingency plans and verifying that MSPs can operate within your tolerance levels during disruptions.
• Strengthens governance and accountability: Creates a documented audit trail of due diligence and ongoing oversight for Board and regulator reporting.

Who can benefit from this template?

• APRA-regulated entities: Banks, insurers, superannuation funds, and other regulated bodies required to comply with CPS 230.
• Third-party risk management teams: Security, risk, and compliance teams responsible for managing service provider relationships.
• Board and senior management: Leaders who need assurance that outsourced critical services are managed to the same standard as internal operations.

By using this template, regulated entities can quickly pinpoint weak links in their service provider ecosystem, address them proactively, and demonstrate to APRA that they have a mature, defensible approach to operational risk management.

CPS 230 Material Service Provider Questionnaire template example

This downloadable CPS 230 MSP questionnaire template organises assessment questions into control families that align with the Prudential Standard’s focus on operational resilience, business continuity, and service provider management. 

Below is a summary of each control family and what it addresses.

1. Scoping and regulatory requirements: Captures who the provider is, what services they deliver, and how the arrangement fits CPS 230 obligations.
2. Security policies and procedures: Confirms the existence, ownership, and maintenance of the provider’s security policy framework.
3. Asset management: Verifies inventories and lifecycle controls for hardware, software, data, and supporting assets.
4. Infrastructure management: Assesses configuration, patching, change control, and resilience of underlying platforms and networks.
5. Data protection: Checks controls for confidentiality, integrity, and privacy (e.g., access control, encryption, retention, and disposal).
6. Application security: Reviews SDLC practices, code security, testing, and vulnerability remediation for delivered software/services.
7. Risk management examines how the provider identifies, assesses, treats, and monitors risks (including supply chain and fourth parties).
8. Operational resilience: Evaluates backup, disaster recovery, business continuity, testing cadence, and ability to meet tolerance levels.

Each family contains detailed, targeted questions for the Material Service Providers to answer, allowing regulated entities to score responses, prioritise remediation, and integrate findings into their material service provider register.

Download your CPS 230 MSP questioniare template.

How to complete the CPS 230 Material Service Provider Questionnaire template

The CPS 230 Material Service Provider Questionnaire is divided into two components: one for the material service provider and another for internal cybersecurity teams.

1. To be completed by the material service provider: The provider answers each question with “Yes,” “No,” or “Not Applicable” and adds context in the Implementation Details column.

2. To be completed internally: Your internal team assesses each response for risk severity, assigns a risk treatment, and records ownership and follow-up actions.

Step-by-step guide

1. Send the questionnaire to the material service provider

Distribute the template to the provider, requesting that all Implementation Details fields be completed regardless of whether the answer is No or Not Applicable. Richer detail in responses allows for more accurate internal risk evaluation and treatment planning.

2. Review responses for completeness

Check that every control family is addressed in full. This includes Scoping and regulatory requirements, Security policies and procedures, Asset management, Infrastructure management, Data protection, Application security, Risk management, and Operational resilience.

3. Evaluate risk severity

Using the internal columns, classify each No or Not Applicable response according to risk severity:

• High: Likely to result in critical operational disruption or breach of regulatory obligations if not addressed quickly.
• Medium: Could cause moderate operational or compliance impact and requires remediation, but may not be immediately urgent.
• Low: Unlikely to materially impact operations or compliance and may be accepted without remediation.

4. Assign risk treatments

Determine the most appropriate treatment for each identified risk. This may include remediation, acceptance, transfer, or mitigation. Record the chosen treatment in the Risk Treatment column, assign an accountable owner, and define the remediation plan.

5. Maintain documentation

Store the completed questionnaire and treatment plans in your service provider register. This creates a record of due diligence and ongoing monitoring that meets CPS 230 requirements.

By following this process, APRA-regulated entities can ensure they meet Prudential Standard CPS 230’s requirements for identifying and managing material service provider risks while maintaining a clear, auditable record for governance and regulatory purposes.

Download your CPS 230 MSP questioniare template.

How to use this questionnaire template to track a material service provider’s compliance with CPS 230

A CPS 230 Material Service Provider questionnaire template is not just a one-time due diligence tool. It's designed to be integrated into an ongoing third-party oversight process that ensures each provider meets APRA’s operational resilience expectations.

Address these requirements to get the most value from your CPS 230 MSP template:

1. Establish a baseline

Use the initial completed questionnaire to set a benchmark for the provider’s controls, resilience measures, and compliance posture. This baseline helps you identify areas that require immediate remediation and track progress over time.

2. Monitor changes in service scope or risk

Review and update the questionnaire whenever there is a significant change in the provider’s operations, ownership, subcontractor arrangements, or the services they deliver to your organisation. CPS 230 requires regulated entities to maintain up-to-date information on material service providers to ensure continuity of critical operations.

3. Integrate into your service provider register

Record the questionnaire results in your material service provider register. This enables you to link each provider’s responses to a security risk rating, their performance history, and any remediation plans, creating a single source of truth for ongoing oversight.

4. Align with incident and continuity reviews

If a material service provider experiences a service outage, cyber incident, or operational disruption, use their questionnaire responses as a reference point to verify whether promised resilience measures were followed. Update their record to reflect any gaps between commitments and actual performance.

5. Schedule regular reassessments

Set a reassessment schedule based on the provider’s risk rating. High-risk or critical providers may require annual or semi-annual reviews, while lower-risk providers may be reviewed less frequently. Each reassessment should compare new responses to the baseline and track progress on remediation actions.

6. Report to senior management and the Board

Summarise questionnaire findings, remediation progress, and any material changes in provider risk for governance reporting. This ensures leadership has a clear view of third-party resilience and supports decision-making on whether to continue, adjust, or terminate an arrangement.

When embedded into a broader CPS 230 compliance program, this CPS MSP questionnaire template becomes a living document supporting proactive oversight, timely remediation, and clear evidence of compliance for APRA reviews or audits.

Download your CPS 230 MSP questioniare template.