APRA CPS 234 in Australian Education: A Practitioner's Walkthrough

Table of Contents

1. What APRA CPS 234 Actually Means for Education
2. Who Really Needs to Comply
3. The Core Control Framework
4. Evidence Patterns: What Auditors Actually Look For
5. Common Pitfalls in Education Organisations
6. The Audit Timeline and What to Expect
7. Building Your Compliance Roadmap
8. Technology Foundations for Education
9. Getting the Culture Right
10. Next Steps and Resources

---

What APRA CPS 234 Actually Means for Education

APRA CPS 234 is the Australian Prudential Regulation Authority’s Information Security prudential standard. It sets out minimum requirements for managing information security risk in Australian financial institutions. But here’s the thing: most Australian education organisations aren’t directly regulated by APRA. So why should you care?

Education providers increasingly hold sensitive financial data—student fee payments, staff payroll, research grant funding, and institutional banking information. When you handle financial data or work with financial institutions (banks, insurers, payment processors), you’re operating in the orbit of APRA’s concerns. More importantly, APRA CPS 234 sets the de facto standard for information security across Australian regulated entities and their third-party service providers.

Education organisations that provide services to APRA-regulated entities—or that hold financial data on behalf of students and staff—are increasingly asked to demonstrate CPS 234 alignment. Universities processing research contracts with financial institutions, schools managing student loan data, and training providers handling government funding all find themselves on the compliance radar.

The standard isn’t just about preventing breaches. It’s about demonstrating that you have a systematic, documented, and auditable approach to information security. That means policies, controls, evidence, and a clear governance chain. For education, that’s a significant shift from the ad-hoc security posture many organisations have historically maintained.

The Federal Register of Legislation contains the formally registered instrument, but the practical guidance comes from APRA’s own published standard. Education organisations should read both the regulatory text and APRA’s supporting guidance to understand scope, notification obligations, and what “effective” controls actually look like in practice.

---

Who Really Needs to Comply

This is where education organisations often get confused. APRA doesn’t directly regulate schools, universities, or training providers. But APRA’s scope extends to entities that are “connected” to regulated financial institutions through data handling, service delivery, or contractual relationships.

You’re in scope if you:

• Process student or staff financial data (fees, payroll, banking details) and that data flows into or out of APRA-regulated entities
• Provide technology services to banks, insurers, or other APRA-regulated organisations
• Hold sensitive data on behalf of government bodies or financial institutions that have APRA obligations
• Manage research contracts involving financial institutions or government funding bodies with compliance requirements
• Operate as a third-party service provider to any APRA-regulated entity (even indirectly)

Many education organisations aren’t directly in scope, but they’re increasingly asked by their partners (banks, insurers, government agencies) to demonstrate CPS 234 alignment as a condition of doing business. That’s the practical driver: contractual obligation, not regulatory mandate.

The Australian Government Department of Education guidance on data and privacy provides context on government-level expectations for education providers handling sensitive data. State-based guidance—such as Victorian Department of Education privacy requirements and South Australian Department for Education privacy standards—also sets expectations that align with CPS 234 principles.

If you’re unsure whether you’re in scope, ask your finance, legal, and procurement teams: “Do any of our contracts require us to demonstrate information security compliance? Do any of our partners require SOC 2, ISO 27001, or APRA alignment?” That’s your answer.

---

The Core Control Framework

APRA CPS 234 is built on four pillars:

Governance and Risk Management

Your board and senior leadership must own information security as a strategic risk. This isn’t a checkbox—it’s a governance obligation. You need:

• A documented information security policy approved by the board or governing body
• Clear accountability: who owns information security? Who reports to whom?
• An information security strategy that links to business objectives
• Regular board-level reporting on information security incidents, risks, and remediation

Education organisations often struggle here because security has historically lived in IT, not in the boardroom. CPS 234 requires it to move up. That means your board papers need an information security section. Your annual risk register needs information security prominently listed. Your CEO and CFO need to understand the material risks.

In practice, this means appointing a Chief Information Security Officer (or equivalent), even if it’s a fractional or shared role. It means documenting your security governance structure and making sure it’s visible to leadership. It means linking security investments to business risk, not just IT wish lists.

Risk Assessment and Management

You must identify, assess, and manage information security risks systematically. This requires:

• A documented information asset inventory (what data do you hold, where is it, who accesses it?)
• A risk assessment process that identifies threats, vulnerabilities, and impacts
• Risk treatment plans for material risks (mitigate, accept, avoid, or transfer)
• Regular reassessment (at least annually, more often if your environment changes)

Education organisations often have incomplete asset inventories. You might know about your student information system, but do you know about all the cloud services your departments are using? Do you have a complete map of where sensitive data lives? That’s the starting point.

Risk assessment doesn’t need to be complex. It needs to be documented and defensible. You’re looking for: what sensitive data do we hold? What are the plausible threats (external attack, insider misuse, accidental loss)? What’s the impact if something goes wrong? What controls do we have? What’s our residual risk? That conversation, documented and reviewed, is what auditors want to see.

Technical and Operational Controls

This is where most of the work lives. You need controls across:

• Access control: Who can access what? How do you authenticate users? How do you manage privileged access? How do you revoke access when people leave?
• Encryption: Is sensitive data encrypted in transit and at rest? Who manages encryption keys?
• Network security: Are your systems isolated from untrusted networks? Do you monitor for intrusions? Do you have firewalls and intrusion detection?
• Incident management: Do you have a process for detecting, reporting, and responding to security incidents? Do you notify affected parties and regulators when required?
• Change management: How do you control changes to systems? How do you test before deploying? How do you audit who made what changes?
• Vendor management: If you use third-party services, how do you ensure they meet your security requirements? How do you audit them?
• Data handling: How do you classify data? How do you store it? How do you dispose of it?

Education organisations often have some of these controls in place, but they’re inconsistently applied. You might have strong access controls for your student information system but weak controls for your research data repository. You might encrypt data at rest but not in transit. The audit process will find these gaps.

Awareness and Capability

Your people need to understand information security. This requires:

• Mandatory security awareness training for all staff (at least annually)
• Role-specific training for people handling sensitive data or managing systems
• A documented code of conduct that includes security expectations
• Regular communication about security incidents and lessons learned
• Testing (phishing simulations, for example) to reinforce awareness

Education organisations are particularly vulnerable here. Academic culture often emphasises openness and sharing, which can conflict with security discipline. You need to build a security culture that respects both academic values and information protection requirements. That means training that resonates with educators, not just IT staff.

---

Evidence Patterns: What Auditors Actually Look For

When an auditor (or your partners’ auditors) assess your CPS 234 alignment, they’re looking for evidence. Not promises—evidence. Here’s what that actually looks like:

Governance Evidence

• Board minutes showing information security was discussed and approved
• A documented information security policy (not a 100-page tome—a clear, implementable policy)
• An organisation chart showing who owns information security
• Annual information security reports to leadership
• Evidence that information security is part of your risk management process (board risk register, risk committee minutes)

Education organisations often have security policies, but they’re out of date or not actively used. Auditors want to see recent approval, active governance, and clear ownership. If your information security policy was last updated five years ago, that’s a red flag.

Risk Assessment Evidence

• A documented information asset inventory (ideally in a tool, but a spreadsheet is acceptable)
• A risk register showing identified information security risks
• Risk assessments for major systems or data handling processes
• Evidence of risk treatment decisions (approved, documented, assigned to someone)
• Evidence of periodic reassessment (risk register updated at least annually)

Education organisations often struggle with this because they haven’t inventoried their assets. Start simple: what are your critical systems? What sensitive data do they hold? Who accesses them? That’s your baseline. From there, you can build a more comprehensive inventory.

Control Evidence

For each control, auditors want to see:

• A documented control description (what is the control, and how does it work?)
• Evidence that the control is implemented (screenshots, logs, configuration, policy documents)
• Evidence that the control is operating effectively (test results, audit logs, incident reports showing the control detected something)
• Evidence of monitoring and review (how do you know the control is still working?)

Here’s a concrete example: access control. You might document: “Only authorised staff can access student records. Access is granted through role-based access control in our student information system. Access is reviewed quarterly by department heads. Access is revoked within 24 hours of staff departure.” Then you provide:

• Your access control policy
• Screenshots of your role-based access control configuration
• A list of current users and their roles
• Evidence of quarterly access reviews (signed-off spreadsheets)
• Evidence of access revocation (system logs showing accounts disabled)
• Incident examples where the control detected unauthorised access attempts

That’s the pattern: policy + implementation + evidence of operation + monitoring.

Incident Management Evidence

Auditors want to see:

• A documented incident management process
• Examples of incidents detected and how they were handled
• Evidence of notification (to affected parties, to regulators if required)
• Evidence of root cause analysis and remediation
• Metrics on incident detection and response times

Education organisations often don’t have a formal incident process. If something goes wrong, it’s handled ad-hoc. CPS 234 requires a systematic approach: detection, reporting, investigation, remediation, notification. You need to demonstrate that you can do this consistently.

Vendor Management Evidence

If you use third-party services (cloud providers, software vendors, managed service providers), auditors want to see:

• A documented vendor management process
• Vendor risk assessments (how critical is the vendor? What data do they access?)
• Vendor contracts that include security requirements (confidentiality, incident notification, audit rights)
• Evidence of vendor audits or certifications (SOC 2, ISO 27001, etc.)
• Evidence of ongoing monitoring (vendor performance reviews, incident reporting)

Education organisations often use many vendors (learning management systems, email, collaboration tools, research platforms) without formal security assessments. CPS 234 requires you to know who has access to your data and what security standards they meet.

---

Common Pitfalls in Education Organisations

Based on our work with education providers across Australia, here are the patterns we see repeatedly:

Incomplete Asset Inventory

Education organisations often have a main student information system, but they don’t know about all the other systems holding sensitive data. Research departments use cloud storage. Finance uses accounting software. HR uses payroll systems. Each department might have its own tools. You end up with 50+ systems holding student data, and nobody has a complete list.

Start by asking: “What systems hold sensitive data?” Include obvious ones (student records, payroll, financial systems) and less obvious ones (email, file storage, collaboration tools, research platforms). Then ask: “Who has access? How is it protected? Where does the data go?” That’s your baseline.

Weak Access Control and Privileged Access Management

Education organisations often grant broad access because they value openness and collaboration. But CPS 234 requires least-privilege access: people get access to what they need, nothing more. Common gaps:

• Shared accounts (multiple people using the same username and password)
• Overly broad permissions (staff with access to all student records, not just their class)
• No privileged access management (IT staff can access anything without audit logging)
• No access reviews (you don’t know if people still need the access they have)

Start by identifying privileged access (who can access sensitive systems or data without normal controls?). Then implement logging and review processes. Then gradually move to least-privilege access.

Inconsistent Encryption

Education organisations often encrypt data at rest in their main systems but not in transit, not in backups, and not on portable devices. CPS 234 expects encryption across the board. Common gaps:

• Email sent in plain text
• Data transferred between systems without encryption
• Backups not encrypted
• Portable devices (laptops, USB drives) not encrypted
• Cloud storage not encrypted

Encryption is increasingly built into platforms (Microsoft 365, Google Workspace, cloud providers), so you might already have it. The question is: do you know where it is and where it’s missing?

No Incident Management Process

Education organisations often don’t have a formal incident management process. If a security issue is discovered, it’s handled by whoever finds it, without consistent reporting, investigation, or notification. CPS 234 requires a systematic process: detection, reporting, investigation, remediation, notification (to affected parties and regulators if required).

Start simple: document who reports security incidents, who investigates, who decides on remediation, and who decides on notification. Then test it with a tabletop exercise. Then refine it based on what you learn.

Weak Vendor Management

Education organisations often use many vendors without formal security assessments. You might use a learning management system without knowing if it’s secure. You might store research data in a cloud service without understanding their security controls. CPS 234 requires you to assess vendor security and include security requirements in contracts.

Start by listing your critical vendors (those with access to sensitive data or critical systems). Then ask them about their security: Do they have SOC 2 or ISO 27001? What’s their incident response process? What’s their data retention and deletion policy? Require this in contracts going forward.

Outdated or Missing Policies

Education organisations often have security policies on the books that haven’t been updated in years. They don’t reflect current systems, current threats, or current roles. CPS 234 requires current, approved, and actively used policies.

Start by reviewing your information security policy. Is it current? Does it reflect how you actually operate? Is it approved by leadership? Is it communicated to staff? If the answer to any of these is no, update it.

Insufficient Security Awareness

Education organisations often assume staff understand security because they’ve been through one training session. But security awareness needs to be ongoing, role-specific, and reinforced. Common gaps:

• One-time training that staff forget
• Generic training that doesn’t resonate with educators
• No testing or reinforcement
• No communication about incidents or lessons learned

Start by making security awareness mandatory and regular. Use examples from education (student data breaches, phishing targeting academic staff). Test awareness with phishing simulations. Communicate about incidents and what you learned.

---

The Audit Timeline and What to Expect

When you go through a CPS 234 audit (either because you’re directly regulated or because a partner is auditing you), here’s what typically happens:

Scoping Phase (Weeks 1–2)

The auditor defines what’s in scope. This includes:

• What systems and data are covered?
• What controls are being assessed?
• What’s the timeline and resource requirements?
• What documentation do you need to provide?

Education organisations often underestimate the scope. You might think it’s just your student information system, but it could include email, file storage, research platforms, and any system handling sensitive data.

Planning Phase (Weeks 2–4)

The auditor develops a detailed audit plan:

• What evidence will they review?
• What interviews will they conduct?
• What systems will they test?
• What’s the timeline for on-site work?

Education organisations should use this phase to:

• Identify gaps in documentation
• Prepare evidence (policies, risk assessments, incident logs, access reviews)
• Brief staff on what to expect
• Assign someone to coordinate with the auditor

Evidence Collection Phase (Weeks 4–12)

This is the heavy lifting. The auditor reviews documentation, interviews staff, and tests controls. Common activities:

• Document review (policies, risk assessments, incident logs, access reviews, vendor contracts)
• Interviews with leadership, security staff, system owners, and business users
• Technical testing (access control, encryption, logging, change management)
• Site visits to observe physical security and operational controls

Education organisations should:

• Respond to document requests promptly
• Make staff available for interviews
• Provide system access for testing
• Document any issues or gaps discovered during the audit

Reporting Phase (Weeks 12–16)

The auditor prepares a report documenting:

• Controls that are operating effectively
• Control gaps or weaknesses
• Recommendations for improvement
• An overall assessment of compliance

Education organisations will typically get a draft report for comment before the final version is issued.

Remediation Phase (Weeks 16+)

You develop a remediation plan to address audit findings:

• What gaps will you fix?
• How will you fix them?
• Who’s responsible?
• What’s the timeline?

Education organisations should prioritise based on risk: fix material gaps first, then work through lower-risk recommendations.

The typical audit takes 12–16 weeks from start to finish. If you’re well-prepared with documentation and evidence, it can be faster. If you’re starting from scratch, it can take longer.

---

Building Your Compliance Roadmap

If you’re an education organisation starting your CPS 234 journey, here’s a practical roadmap:

Month 1: Assess and Plan

Week 1–2: Understand Your Scope

• Determine if you’re directly in scope (unlikely for most education organisations)
• Identify contractual requirements (do your partners require CPS 234 alignment?)
• List all systems handling sensitive data
• Identify your governance structure and assign information security ownership

Week 3–4: Gap Assessment

• Review your current policies and controls
• Identify gaps against CPS 234 requirements
• Prioritise gaps by risk and effort
• Develop a high-level remediation roadmap

A PADISO AI Quickstart Audit can accelerate this phase. A two-week diagnostic tells you where you actually are, what to ship first, and what 90 days could unlock. Fixed scope, fixed fee.

Months 2–3: Build Governance

Governance Structure

• Appoint an information security owner (Chief Information Security Officer, or equivalent)
• Establish an information security committee (leadership, IT, compliance, business representatives)
• Define roles and responsibilities
• Establish reporting lines to senior leadership

Documentation

• Update or create your information security policy
• Document your risk management process
• Document your incident management process
• Document your vendor management process
• Document your access control process

Get these approved by your board or governing body. Make sure they reflect how you actually operate, not how you wish you operated.

Months 4–6: Implement Core Controls

Asset Inventory and Risk Assessment

• Complete your information asset inventory (systems, data, access, criticality)
• Conduct a formal risk assessment
• Develop a risk register
• Prioritise risks and develop treatment plans

Access Control

• Review current access across critical systems
• Implement role-based access control where possible
• Implement privileged access management for sensitive systems
• Implement quarterly access reviews
• Implement automated access revocation for leavers

Encryption

• Assess current encryption coverage
• Implement encryption in transit for sensitive data transfers
• Implement encryption at rest for sensitive data storage
• Implement encryption for portable devices and removable media
• Implement key management processes

Incident Management

• Document your incident management process
• Define roles and responsibilities
• Establish incident detection and reporting mechanisms
• Establish incident investigation and remediation processes
• Establish notification procedures (internal and external)

Months 7–9: Vendor and Monitoring

Vendor Management

• Assess critical vendors for security compliance
• Update vendor contracts to include security requirements
• Establish vendor monitoring and review processes
• Request vendor security certifications (SOC 2, ISO 27001)

Monitoring and Logging

• Implement logging on critical systems
• Establish log review and analysis processes
• Implement alerting for suspicious activity
• Establish security metrics and reporting

Months 10–12: Awareness and Readiness

Security Awareness

• Develop security awareness training for all staff
• Develop role-specific training for sensitive roles
• Implement mandatory annual training
• Implement phishing simulations and other testing
• Establish security communication channels

Audit Readiness

• Compile evidence for all controls
• Conduct internal testing of controls
• Identify and remediate any gaps
• Brief leadership on readiness
• Prepare for external audit

This roadmap is realistic for most education organisations. You won’t be perfect after 12 months, but you’ll have a solid foundation and a clear path forward.

---

Technology Foundations for Education

Education organisations often ask: “What technology do we need to be CPS 234 compliant?” The answer is: you probably already have most of it. Compliance is more about using what you have correctly than buying new tools.

Core Systems

Student Information System (SIS)

Your SIS is likely your most critical system. It holds student records, grades, fees, and contact information. Make sure:

• Access is restricted to authorised staff
• Access is logged and reviewed
• Data is encrypted in transit and at rest
• Backups are encrypted and tested
• Changes are logged and auditable

Email and Collaboration

Email and collaboration tools (Microsoft 365, Google Workspace) are often overlooked but hold significant sensitive data. Make sure:

• Multi-factor authentication is enabled
• Encryption is enabled (usually built-in)
• Retention policies are configured
• Access is managed and reviewed
• Incident response processes cover these tools

File Storage and Backup

File storage and backup systems hold sensitive data. Make sure:

• Access is restricted and reviewed
• Data is encrypted
• Retention policies are configured
• Backups are tested and can be recovered
• Incident response processes cover these systems

Compliance-Specific Tools

You might consider tools to support compliance:

• Identity and Access Management (IAM): Tools like Okta or Azure AD help manage user access and authentication
• Security Information and Event Management (SIEM): Tools like Splunk or Microsoft Sentinel help aggregate logs and detect incidents
• Vulnerability Management: Tools like Qualys or Tenable help identify and track vulnerabilities
• Endpoint Protection: Tools like Microsoft Defender or CrowdStrike help protect devices
• Data Loss Prevention (DLP): Tools like Microsoft DLP or Forcepoint help prevent sensitive data from leaving your organisation

But these are nice-to-haves, not must-haves. Start with the basics: access control, encryption, logging, and incident response. Build from there based on your risk assessment.

Cloud Services

Many education organisations use cloud services (Microsoft Azure, AWS, Google Cloud). When selecting or configuring cloud services, make sure:

• The provider has relevant security certifications (SOC 2, ISO 27001)
• You understand their security controls and how they map to your requirements
• You have contractual commitments on security, incident notification, and audit rights
• You understand data residency and sovereignty requirements
• You have encryption and key management processes

Microsoft’s APRA compliance offering documentation provides guidance on how their services map to CPS 234 requirements. Similar documentation is available from AWS and Google Cloud.

---

Getting the Culture Right

Compliance is ultimately about culture. You can have all the policies and controls in place, but if your people don’t understand why security matters, they’ll find ways around the controls.

Leadership Commitment

Your board and senior leadership need to visibly own information security. This means:

• Regular board-level reporting on information security
• Information security included in strategic planning
• Resources allocated to information security (people, tools, training)
• Leadership modeling good security behaviour

Education organisations often struggle here because security has historically been seen as an IT issue, not a business issue. You need to reframe it: information security is a risk management issue, and risk management is a board responsibility.

Staff Engagement

Your staff need to understand why security matters to them. This means:

• Training that resonates with educators (not just IT staff)
• Examples from education (student data breaches, phishing targeting academic staff)
• Clear communication about what’s expected
• Reporting mechanisms that are easy to use
• Recognition and rewards for good security behaviour

Education organisations often have strong values around openness and collaboration. You need to build security culture that respects those values while protecting sensitive data. That’s a conversation, not a mandate.

Continuous Improvement

Compliance isn’t a destination—it’s a journey. You need processes for:

• Regular risk assessment and reassessment
• Regular control testing and improvement
• Incident analysis and lessons learned
• Security awareness updates and reinforcement
• Technology and process updates as threats and systems change

Education organisations should establish a security committee that meets regularly (monthly or quarterly) to review risks, incidents, and improvements. This keeps security visible and ensures continuous improvement.

---

Next Steps and Resources

If you’re an education organisation starting your CPS 234 journey, here’s what to do next:

Immediate Actions (This Week)

1. Understand Your Scope: Determine if you’re directly in scope or if contractual requirements apply. Review your contracts with partners (banks, insurers, government agencies) for security requirements.

2. Assign Ownership: Appoint someone to own information security. It doesn’t need to be full-time, but it needs to be explicit.

3. Inventory Your Systems: List all systems handling sensitive data. Include obvious ones (student records, payroll) and less obvious ones (email, file storage, research platforms).

Short-Term Actions (Next Month)

1. Gap Assessment: Review your current policies and controls against CPS 234 requirements. Identify gaps and prioritise by risk and effort.

2. Governance: Update your information security policy. Define roles and responsibilities. Get board or governing body approval.

3. Risk Assessment: Conduct a formal risk assessment. Develop a risk register. Identify your top risks.

If you need help with this phase, PADISO’s AI Advisory Services provide strategy, architecture, and delivery from a Sydney-based team. Or consider a PADISO AI Quickstart Audit—a two-week diagnostic that tells you where you actually are, what to ship first, and what 90 days could unlock.

Medium-Term Actions (Next 6 Months)

1. Core Controls: Implement access control, encryption, and incident management. Focus on your highest-risk systems and data.

2. Vendor Management: Assess critical vendors for security compliance. Update contracts. Establish monitoring processes.

3. Monitoring and Logging: Implement logging on critical systems. Establish log review and incident detection processes.

Long-Term Actions (6–12 Months)

1. Security Awareness: Develop and deliver security awareness training. Implement testing and reinforcement.

2. Audit Readiness: Compile evidence for all controls. Conduct internal testing. Prepare for external audit.

3. Continuous Improvement: Establish processes for regular risk assessment, control testing, and improvement.

Key Resources

• APRA CPS 234: Read the official APRA prudential standard and the Federal Register of Legislation for the legally registered instrument.

• Australian Privacy Guidance: The OAIC provides privacy guidance and resources that align with information security obligations.

• Cyber Security: The Australian Cyber Security Centre provides resources on cyber security controls, incident response, and risk management.

• Education-Specific Guidance: Review Australian Government Department of Education data and privacy guidance and your state’s education privacy requirements.

Getting Help

If you need hands-on support, consider:

• CTO Advisory: PADISO’s Fractional CTO services provide technical leadership for architecture, vendor decisions, and audit readiness.

• Security Audit: PADISO’s Security Audit service gets you audit-ready in weeks, not months. Using Vanta, we help you achieve SOC 2, ISO 27001, and GDPR compliance.

• Platform Engineering: If you need to modernise your technology stack, PADISO’s Platform Development services provide bank-grade architecture and multi-tenant SaaS capabilities.

• Full Services: PADISO’s full service menu includes CTO as a Service, custom software development, and AI automation. We also work with education organisations through our AI Advisory Services.

Final Thoughts

APRA CPS 234 compliance is achievable for education organisations. It requires systematic work—governance, risk assessment, control implementation, monitoring, and awareness—but it’s not magic. Start with understanding your scope and assigning ownership. Build your governance and risk assessment. Implement core controls. Monitor and improve continuously.

The organisations that succeed are those that treat compliance as a business imperative, not an IT checkbox. They get leadership engaged. They build security culture. They invest in the right technology and people. They monitor and improve continuously.

If you’re an education organisation in Australia, you’re likely already handling sensitive data that deserves protection. CPS 234 is a framework for doing that systematically. Use it.

---

Ready to get started? Book a call with our team to discuss your specific situation, or explore our Case Studies to see how we’ve helped other organisations build compliance and security.