1. What the Dynamic Selection Engine Does for You
The Dynamic Selection Engine is the access mechanism that allows every CIAO member to align CIAO content to the source-standards portfolio their organisation actually operates under. Whether your organisation works to ISO 27001, NIST CSF, GDPR, POPIA, COBIT, ITIL, SOC 2, sectoral regulation, or any combination of these, the Engine surfaces the CIAO content most relevant to your portfolio. You do not need to know the canonical CIAO architecture in advance to find the content that pertains to your standards.
The Engine is available at every membership tier — from Commons through Conglomerate. There is no premium tier behind which standards mapping is gated. The democratisation of access to standards mapping is one of the CIAO Standard’s foundational accessibility commitments.
2. The Canonical Source Standards Register
The Engine operates over the published Canonical Source Standards Register — the catalogue of source standards that the CIAO Standard recognises and maintains current mappings for. The Register is curated by the Secretariat and published openly. Standards are organised into nine categories that reflect the operational realities of organisational governance:
- Information security — the ISO 27000 family, NIST Cybersecurity Framework, and related
- Quality management — the ISO 9000 family
- IT service management — the ISO 20000 family, ITIL
- Risk management — the ISO 31000 family, COSO ERM
- AI governance — emerging AI-specific standards and regulatory guidance
- Privacy — GDPR, POPIA, regional privacy regimes
- Financial controls — SOC 1, SOC 2, COBIT, financial-services regulatory regimes
- Legislation — sectoral and jurisdictional regulatory instruments relevant to organisational governance
- Good practice — recognised industry frameworks and good-practice references
New standards are added to the Register through periodic releases by the Secretariat. The Register is a public document; members do not need a paid tier to see what is mapped.
3. Configuring Your Portfolio
Members configure their source-standards portfolio when they join their tier, by selecting from the Canonical Source Standards Register the standards their organisation operates under. Configuration is straightforward: it is a selection exercise across the Register’s categories, not a complex setup procedure.
Configuration may be updated as your organisation’s standards adoption changes. Adding a new standard to your portfolio (for example, when your organisation pursues SOC 2 certification for the first time) updates the Engine’s surfacing across the entire CIAO content set you have access to at your tier. Removing a standard works the same way.
4. The Mapped Output
Once configured, the Engine produces a member-specific view of CIAO content. Each artefact you view — Manual, Operating Policy Framework, Enterprise Control Framework, Sub-Policy, Process, Procedure, Implementation artefact — shows the source-standard reference mappings relevant to your portfolio. The mappings sit alongside the artefact, not in place of it; the canonical CIAO content is not altered by your portfolio configuration.
Two members operating under different portfolios will see the same artefact but different reference cells. A member operating under ISO 27001 alone will see ISO 27001 references; a member operating under ISO 27001 and SOC 2 will see both. The architecture is shared; the view is configured per-member.
Mappings reflect the current state of each registered source standard. When a registered standard releases an updated version, the Secretariat updates the mappings within the published cadence; subsequent member views reflect the updated mapping.
5. Why It Works for Every Tier
Standards mapping is a foundational capability of governance work. An organisation cannot intelligently adopt a standard without knowing how that standard relates to the standards it already operates under. The CIAO Standard takes the position that this capability should not be priced behind a paid tier.
At Commons, members evaluate the CIAO Standard against their portfolio before any commitment. At Core through Enterprise, members exercise the Engine across the depth of CIAO content they have access to at their tier. At Conglomerate, members extend the Register with custom portfolio additions specific to their group’s regulatory regimes — a category extension that operates over the same Engine mechanism.
The cumulative effect is that a member’s CIAO experience is shaped by their actual standards portfolio, not by the breadth of the published Standard’s content. The CIAO Standard is broad; the member sees what is relevant; the Engine is the bridge.
6. The Second Axis — Tier-Based Content Selection
Standards-portfolio selection is one axis of the Dynamic Selection Engine. The Engine operates a second axis: content visibility by membership tier. As described in Standard Architecture & Tier Content Depth, each CIAO membership tier unlocks a progressively deeper set of artefacts — Manuals at Core, Operating Policy Frameworks at Essential, Sub-Policies and Control Frameworks at Professional, Processes and Procedures at Enterprise, bespoke extensions at Conglomerate.
The Engine implements this depth ladder dynamically. Every page of CIAO content is tier-aware: content blocks intended for higher tiers are wrapped in tier-conditional markers. When a member views a page, the Engine evaluates each conditional block against the member’s tier — if the member’s tier meets the block’s requirement, the content is rendered in full; if the member’s tier is below the block’s requirement, the content is replaced with an upgrade prompt that names the required tier and the value the member would unlock.
The two axes operate independently. A Professional member with an ISO 27001 portfolio sees Professional-tier content depth, with ISO 27001 reference cells surfaced. An Enterprise member with a multi-standard portfolio (ISO 27001, NIST CSF, GDPR) sees Enterprise-tier depth with all three standards’ reference cells surfaced. The combinatorial effect is a member-specific view: depth is set by tier; mappings are set by portfolio; both are dynamic; both update as either configuration changes.
Licensed under Creative Commons CC BY-SA 4.0. CIAO Standard — Dynamic Selection Engine — www.c-ao.com
Enterprise and Conglomerate-specific Engine configuration content will be added here — multi-portfolio orchestration, group-level mapping defaults, custom Register extensions.