💼 24 Information assets that existed prior to an APRA-regulated entity’s current information security policy framework might not comply with the current framework’s requirements. In such instances, the regulated entity would typically raise an exemption and formulate a strategy for either replacing affected information assets or implementing appropriate compensating controls.