1. Purpose and Scope
This matrix mapping document, lists the specific International Standards, Governance Codes & Corporate Regulations, Data Protection & Privacy Laws, Cybersecurity & Cybercrime Laws, and Best-Practice Frameworks that show be considered towards a more comprehensive Information Compliance Universe.
It also includes a mapping of specific clauses per regulation or framework to the CIAO Core policies.
2. The CIAO ICU Matrix
Here below is a picture of the CIAO ICU Matrix, you can right-click; save image as, screenshot, open this image in a new tab or save this directly from here to your device to zoom in or see under the CIAO Essential resources to download this in PDF format.
| Standard / Law / Framework | Information Security Policy | Data Protection & Privacy Policy | Cybersecurity Awareness & Training Policy |
|---|---|---|---|
| International Standards | |||
| ISO/IEC 27001:2022 | A.12.4.1 (Event Logging), A.17.1 (Business Continuity) | A.9.1.1 (Access Control), A.18.1 (Compliance), A.18.2 | A.7.2.2 (Awareness & Training), A.18.2 (Compliance Reviews) |
| ISO/IEC 27701:2019 | Clause 5.4.2 (PIMS in ISMS) | (Access to PII), 7.5.2 (PII Breach Response), 7.6.1 (Automated Decision-Making) | Clause 7.2.3 (Training & Awareness for PII) |
| ISO/IEC 27017:2015 | — | Cloud security controls for shared responsibility | — |
| ISO/IEC 27018:2015 | — | Cloud privacy controls for PII | — |
| ISO 22301:2019 | Clause 8.4 (Business Continuity Procedures), Clause 3.1 (Performance Evaluation) | — | — |
| ISO/IEC 38500:2015 | Clause 5.1–5.6 (Governance principles) | — | — |
| ISO/IEC 42001:2023 (AI Management System) | Clause 5.1 (AI Governance), Clause 6.2 (Risk Management for AI), Clause 7.3 (Operational Controls) | Clause 8.2 (AI Data Transparency) | Clause 7.4 (AI Awareness & Training) |
| ISO 44000:2017 (Collaborative Business Relationships) | (Collaborative Risk Management), Clause 7.4 (Joint Incident Response) | (Operational Management), Clause 8.2 (Cross-Border Collaboration) | Clause 7.2 (Collaborative Training), Clause 5.3 (Trust & Transparency) |
| COSO ERM Framework (2017) | Principle 1 (Governance & Culture), Principle 6 (Risk Assessment), Principle 17 (Risk Reporting) | Principle 3 (Risk Response) | Principle 3 (Culture & Awareness), Principle 8 (Risk Information Sharing) |
| COSO Internal Control — Integrated Framework | Governance & Monitoring | Control Activities, Monitoring | Culture & Awareness |
| SOC 1 (AICPA, 2017) | Control objectives for financial reporting security | Privacy controls in financial reporting | Training controls for financial systems |
| SOC 2 (AICPA, 2017, TSC v2017) | Security Trust Services Criteria (CC1–CC9) | Privacy Trust Services Criteria (P1–P9) | Security Awareness (CC6.3) |
| NIST CSF v2.0 (2024) | ID.AM (Asset Mgmt), ID.RA (Risk Assessment), PR.AC (Access Control), DE.CM (Monitoring), RS.RP (Response Planning), RC.IM (Recovery Improvements) | PR.DS (Data Security), PR.IP (Protective Technology), RS.CO (Communications), RS.MI (Mitigation) | PR.AT (Awareness & Training), RS.CO (Communications) |
| NIST RMF Rev. 2 (2021) | Step 1–6 (Categorize, Select, Implement, Assess, Authorize) | Appendix J (Privacy Risk Integration) | Step 2–3 (Training & Awareness) |
| NIST NICE Framework (2020) | — | — | Workforce roles & training categories (OM-ANA, OM-TRN) |
| Governance Codes | |||
| UK Corporate Governance Code (2018) | Governance & accountability | Board oversight of privacy | Board oversight of training culture |
| SOX 404 (2002, updated 2010) | Internal control reporting | Privacy controls in financial reporting | Training controls |
| SEBI LODR (2015, amended 2021) | Risk disclosure | Privacy compliance disclosure | Training compliance disclosure |
| King IV (South Africa, 2016) | Governance principles | Data protection governance | Awareness & culture |
| Mauritius Code of Corporate Governance (2016) | Governance & accountability | Privacy oversight | Training oversight |
| OECD Principles of Corporate Governance (2015) | Transparency & accountability | Privacy governance | Risk culture |
| Information Laws | |||
| GDPR (EU Regulation 2016/679) | Art. 32 (Security of Processing) | Arts. 5–6, 15–22, 30, 32–34 | Art. 39 (DPO responsibilities) |
| POPIA (South Africa, 2013) | Sec. 19 (Security safeguards) | Sec. 11 (Lawful processing), Sec. 22 (Breach notification) | Sec. 19(2) (Training obligations) |
| Mauritius Data Protection Act (2017) | Sec. 23 (Security measures) | Sec. 23, Sec. 36 (Processing & breach) | — |
| AU Convention 108+ (2018) | — | Cross-border data protection | — |
| Singapore PDPA (2012, amended 2020) | Security obligations | Processing & breach notification | Training obligations |
| India DPDP Act (2023) | Security safeguards | Processing & consent | — |
| Brazil LGPD (2018) | Security obligations | Processing & rights | — |
| California CCPA/CPRA (2018/2020) | Security obligations | Consumer rights & breach | — |
| EU Cybersecurity Act (2019) | Security certification | — | Awareness obligations |
| South Africa Cybercrimes Act (2020) | Incident response obligations | Breach obligations | Awareness obligations |
| Mauritius Cybercrime Act (2003) | Incident response obligations | Breach obligations | Awareness obligations |
| Best-Practice Frameworks | |||
| COBIT 2019 | EDM, APO domains | MEA domain | DSS domain |
| ITIL v4 (2019) | Change, Incident, Problem Mgmt | Service Design, Service Transition | Continual Improvement |
| SIAM (2016) | Supplier Integration (Governance, Service Mgmt practices) | Supplier Integration for privacy (Data sharing agreements) | Supplier Integration for training (Joint awareness programs) |
| SOC 2 (AICPA, 2017, TSC v2017) | Security (CC1–CC9) | Privacy (P1–P9) | Security Awareness (CC6.3) |
Clauses, articles, sections and domains shown are the primary mapping anchors; detailed per-policy mappings are available per CIAOs.IS0 / GC0 / DP0 / CL0 / BP0 sub-matrices at Essential tier.
3. How to Use the CIAO ICU Matrix
The CIAO ICU Matrix is a fairly comprehensive Information Assurance reference mapping to essential frameworks and regulations.
Start with what is most pertinent in your region and decide what is compulsory vs nice-to-haves. Thinks about the size of the organisation and the target market. Use the CIAO organisation size and scope guidelines to determine approximate membership needs and values to be gained.
An approximated guideline to use for applicability can be as follows (this is not applicable in all situations as some companies do not fit into these typical categories);
The CIAO Core membership; local<10 employees.
The CIAO Essential membership; regional<100 employees.
The CIAO Professional membership; global<1000 employees.
The CIAO Enterprise membership; global<10 000 employees.
This exercise should not be seen as just for compliance, done right this will be your competitive advantage.
Here below, is the CIAO favourite base ICU for Information Assurance:
- BEST-PRACTICE FRAMEWORKS
- COBIT
- ITIL
- SIAM
- INFORMATION PROTECTION LAWS
- UK&EU GDPR
- AU Convention 108+
- EU Cybersecurity Act
- CODES OF CORPORATE GOVERNANCE
- COSO
- King V
- OECD
- INTERNATIONAL STANDARDS
- ISO 27001 (+27701, 27017, 27018)
- ISO 42001
- NIST NICE (+CSF, RMF, C-SCRM)
Enterprise and Conglomerate implementation content will be added here.