A Standard for Implementing Standards — A Governance Meta-Standard for Multi-Framework Assurance
1. Architectural Position Statement
CIAO — Common Information Assurance Oversight — is a governance meta-standard that sits architecturally above conventional security and compliance frameworks. It does not replace ISO 27001, NIST CSF, SOC 2, GDPR, POPIA, or any other established standard. It governs them collectively, providing the coordination layer that has been absent from the compliance ecosystem.
The compliance landscape is fragmented by design. Every framework defines its own control catalogue, documentation requirements, audit process, and terminology. Organisations operating under multiple simultaneous obligations — which is now the rule, not the exception — are forced to maintain parallel compliance systems: duplicated policies, duplicated evidence, duplicated audit preparation. The cost is not only financial. It is governance capacity, leadership attention, and institutional resilience.
CIAO addresses the architectural gap that no existing framework has formally occupied: multi-framework assurance orchestration. Through a formal control equivalence taxonomy, a unified governance model, and a structured implementation architecture, CIAO enables organisations to achieve audit-readiness across multiple frameworks simultaneously, from a single governance posture.
Formal Definition: CIAO is a framework-agnostic governance meta-standard that maps, coordinates and operationalises the overlapping requirements of established international compliance frameworks — enabling organisations to achieve multi-framework assurance through a single, structured governance posture.
2. The CIAO 5-Layer Governance Architecture
CIAO operates at the apex of a five-layer governance architecture. Layers 1 through 3 are occupied by existing frameworks and control systems. CIAO formally governs Layers 4 and 5 — the coordination and oversight layers that have historically been left unoccupied.
| Layer | Name | Description | Occupied By |
|---|---|---|---|
| LAYER 5 | Assurance Oversight | Meta-standard authority — governs the entire compliance architecture | CIAO |
| LAYER 4 | Framework Coordination | ISO 27001 / NIST CSF / SOC 2 / GDPR / POPIA mappings and equivalence | CIAO |
| LAYER 3 | Unified Control Library | Normalised control taxonomy (CIAO GOV series) | CIAO + Frameworks |
| LAYER 2 | Policy & Evidence System | Operational governance documentation | Organisation |
| LAYER 1 | Operational Controls | Technical and organisational controls | Organisation |
This architecture resolves the structural problem that existing frameworks have not addressed: each operates within its own layer, defining controls, risk processes, or governance principles for a single regime. None provides the coordination mechanism required when multiple regimes must be satisfied simultaneously. CIAO occupies the apex — Layer 5 — as the assurance oversight model that governs the entire stack.
What CIAO Is Not
CIAO is not a control framework — it does not define technical security controls or replace ISO 27001 Annex A, NIST CSF control families, or SOC 2 Trust Services Criteria. CIAO is not a risk framework — it does not define risk assessment methodology or risk treatment processes. CIAO is not a compliance checklist — compliance checklists are point-in-time artefacts; CIAO provides the governance infrastructure for continuous, multi-framework assurance.
What CIAO Is
CIAO is a governance meta-standard. It defines: the architectural relationship between compliance frameworks; a unified control equivalence taxonomy (the CIAO GOV series); the assurance lifecycle for multi-framework audit readiness; and the governance infrastructure through which organisations operationalise compliance across regimes without duplication.
3. CIAO Control Equivalence Taxonomy — GOV Seed Table
The Control Equivalence Taxonomy is the architectural heart of CIAO. Each CIAO GOV control represents a unified governance obligation that spans multiple frameworks simultaneously. This public seed table (GOV-001 to GOV-015) is licensed under CC BY-SA 4.0 as part of the CIAO Commons tier. The full GOV taxonomy (GOV-001 to GOV-050+), sector-specific overlays, and cross-framework evidence mapping workbooks are available in CIAO Essentials and above.
All references are to current published versions: ISO/IEC 27001:2022, NIST CSF 2.0, South African POPIA (Act 4 of 2013), AICPA SOC 2 Trust Services Criteria (2022), and EU GDPR 2016/679.
| CIAO ID | Domain | Control Name | ISO 27001:2022 | NIST CSF 2.0 | POPIA | SOC 2 | GDPR |
|---|---|---|---|---|---|---|---|
| GOV-001 | Governance | Information Governance Policy | A.5.1 | GV.PO-01 | S.19 | CC1.1 | Art.24 |
| GOV-002 | Governance | Roles & Responsibilities | A.5.2 | GV.RR-01 | S.55 | CC1.3 | Art.37–39 |
| GOV-003 | Risk | Risk Assessment & Treatment | Cl.6.1.2 | GV.RM-01 | S.19 | CC3.1–3.2 | Art.32, 35 |
| GOV-004 | Assets | Asset Classification & Management | A.5.9–5.12 | ID.AM | S.14 | CC6.1 | Art.30 |
| GOV-005 | Access | Access Control Governance | A.5.15–5.18 | PR.AA | S.19 | CC6.1–6.3 | Art.32 |
| GOV-006 | Incidents | Incident Management Oversight | A.5.24–5.27 | RS.CO, RS.AN | S.22 | CC7.3–7.5 | Art.33–34 |
| GOV-007 | Continuity | Business Continuity Governance | A.5.29–5.30 | RC.RP, RC.CO | S.19 | A1.2–A1.3 | Art.32 |
| GOV-008 | Supply Chain | Third-Party & Supply Chain Oversight | A.5.19–5.22 | GV.SC | S.21 | CC9.2 | Art.28 |
| GOV-009 | Compliance | Compliance Monitoring & Reporting | A.5.35–5.36 | GV.OC | S.51 | CC4.1–4.2 | Art.30, 83 |
| GOV-010 | Privacy | Data Protection & Privacy Governance | A.5.34 | GV.PO | Cond.1–8 | P1–P8 | Art.5–11 |
| GOV-011 | People | Security Awareness & Training Governance | A.6.3 | PR.AT | S.19 | CC1.4, CC2.2 | Art.39(1)(b) |
| GOV-012 | Change | Change Management Governance | A.8.32 | PR.IP-03 | S.19 | CC8.1 | Art.25 |
| GOV-013 | Audit | Audit & Assurance Oversight | A.5.35, A.8.34 | ID.IM | S.55 | CC4.1–4.2 | Art.39 |
| GOV-014 | Threats | Vulnerability & Threat Governance | A.8.8 | ID.RA, DE.CM | S.19 | CC7.1–7.2 | Art.32 |
| GOV-015 | Architecture | Information Architecture & Classification | A.5.12–5.13 | ID.AM-05 | S.14 | CC6.1 | Art.5(1)(f) |
4. CIAO Positioned Against Existing Governance Approaches
CIAO occupies a structural category that existing governance approaches do not fill. The table below clarifies CIAO’s unique niche within the broader governance landscape.
| Approach | What It Defines | What It Does Not Define | CIAO Relationship |
|---|---|---|---|
| ISO 27001 / 27002 | Information security controls and management system | Cross-framework coordination or assurance orchestration | CIAO Layer 4 maps ISO controls into unified GOV taxonomy |
| NIST CSF 2.0 | Cybersecurity risk governance functions | Multi-framework compliance coordination | CIAO Layer 4 aligns NIST functions to equivalent CIAO controls |
| ISACA COBIT | Enterprise governance principles | Detailed control mapping or compliance orchestration | CIAO complements COBIT governance principles at Layer 5 |
| GDPR / POPIA | Regulatory obligations for data protection | Technical control definitions or cross-framework mapping | CIAO GOV-010 consolidates privacy obligations across regimes |
| CIAO Standard | Multi-framework assurance orchestration at governance level | Individual control implementation (by design) | The meta-standard that governs all frameworks simultaneously |
5. Open Principles
CIAO’s foundation is built on disruptive Open Principles that challenge spiralling bureaucracy and compliance costs:
- Private Data: Collect only what is essential; segregate to reduce risk.
- Open Standards: Use open, interoperable standards wherever possible.
- Shared Accountability: Compliance is a shared organisational responsibility, not solely an IT function.
- Proportionality: Governance effort should be proportionate to organisational scale and risk profile.
- Continuous Assurance: Compliance is a continuous posture, not a point-in-time event.
- Framework Neutrality: No single framework is privileged; CIAO coordinates all equally.
6. The CIAO Assurance Lifecycle
The CIAO assurance lifecycle defines the process through which organisations move from framework fragmentation to unified multi-framework audit readiness:
| # | Phase | Action | Output |
|---|---|---|---|
| 01 | Define | Establish the unified CIAO GOV control taxonomy relevant to the organisation’s applicable frameworks | Scoped CIAO control register |
| 02 | Map | Map organisational frameworks to CIAO control equivalence classes — identify overlaps, gaps, and consolidated obligations | Cross-framework equivalence map |
| 03 | Implement | Develop and deploy operational policies and governance documentation against the unified CIAO control register | CIAO-aligned policy library |
| 04 | Collect | Gather compliance evidence against CIAO controls — evidence reused across all mapped frameworks simultaneously | Unified evidence repository |
| 05 | Validate | Validate assurance coverage against each applicable framework using CIAO equivalence mappings | Multi-framework assurance report |
| 06 | Demonstrate | Present audit-ready documentation to auditors and regulators — single governance posture satisfying multiple frameworks | Audit readiness package |
7. Membership Tier Content Architecture
For the canonical detailed treatment of tier content depth and the artefact ladder (Manual → Operating Policy Framework → Enterprise Control Framework → Sub-Policies → Processes → Procedures → Implementation artefacts), see Standard Architecture & Tier Content Depth.
The CIAO membership model is designed as a governance maturity ladder. Each tier provides everything included in all tiers below it. The Commons tier is permanently free and publicly accessible — it constitutes the open standard layer of CIAO.
| Tier | Access | Content Included |
|---|---|---|
| COMMONS | Free | CIAO Architecture (5-Layer Model), Open Principles, CIAO Glossary, GOV Seed Table (GOV-001 to GOV-015), Framework Comparison Overview |
| CORE | Entry Paid | 3 enterprise-grade policies + Framework Mapping Starter Pack (full GOV-001 to GOV-015 detail) |
| ESSENTIALS | €99 | 10 policies + Information Management System structure + Full GOV Taxonomy GOV-001 to GOV-050 |
| PROFESSIONAL | €999 | 30 policies + Cross-framework evidence mapping workbooks + Multi-user access + Operational framework templates |
| ENTERPRISE | €9,999 | Full CIAO suite + Unlimited users + Sector-specific overlays (Financial, Health, Public Sector) + Dedicated secure environment |
| CONGLOMERATE | Bespoke | Everything in Enterprise + White-label subdomain portal + Custom logo + Multi-entity governance architecture |
Licensed under Creative Commons CC BY-SA 4.0. CIAO Standard v1.0 — March 2026 — www.c-ao.com
Enterprise and Conglomerate implementation content will be added here — procedures, templates, and work instructions aligned to this document.