Preamble
The CIAO Standard — the Common Information Assurance Standard — exists to make information governance practicable for organisations of every size, sector, and jurisdiction. The Standard’s name carries within it the four pillars its content addresses: Confidentiality, Integrity, and Availability — the classical triad of information assurance — and Operations, the discipline through which the triad becomes lived practice rather than aspiration. The Standard is offered to its members as a working framework operated by a community of practitioners, advisors, and partners who have agreed to specific terms about how the framework changes, who decides on those changes, and what the framework’s members can rely on between releases.
This Constitution is the foundational document of the CIAO Standard. It states what the Standard is, what bodies govern it, what cannot be done to it without overwhelming consensus, and how the Constitution itself can be amended. Every other document published under the CIAO Standard — the Standard itself, the frameworks, the manuals, the policies, the administrative instruments, the Charter — operates beneath this Constitution. Where any other document conflicts with this Constitution, this Constitution prevails until the conflict is resolved through the amendment procedure set out below.
This Constitution is published under CC BY-SA 4.0. It is open to public reading, public discussion, and public criticism. It is not open to private revision; only the amendment procedure of Section 11 can change it, and that procedure is itself protected from unilateral change.
1. The CIAO Standard
The CIAO Standard is a published framework for information assurance, comprising:
A normative content set distributed across nine Content Architecture for Operations (CAO) content domains and three Aggregate Frameworks: the Operational Policy Framework (OPF), the Effective Control Framework (ECF), and the Implementation & Decision Framework (IDF).
A tier ladder — Commons, Core, Essential, Professional, Enterprise, Conglomerate — that distributes content across access levels available to members at corresponding membership categories.
A set of administrative instruments — change management, editorial submission, footer metadata, release calendar, errata summary, and other forthcoming companions — that operate the Standard between releases.
A set of governance instruments — this Constitution, the Governance Charter, the Code of Practice, and the body-specific guidelines for Membership, Partnership, Practitioners, and Panel Advisors — that frame the Standard’s operation.
The Standard is published at www.c-ao.com under maintenance by the Secretariat. The Standard is licensed under CC BY-SA 4.0 at Commons through Professional tiers, and under terms specified in the Multitier Licensing instrument at Enterprise and Conglomerate tiers.
2. Bodies
The CIAO Standard recognises four governing bodies. Each body’s specific composition, seating procedures, and operating rules are codified in the Governance Charter; this Constitution states only what each body is and what authority it holds.
The Oversight Board is the senior governing body of the CIAO Standard. The Board holds final authority on Structural changes, on the integrity of this Constitution, and on appeals from Secretariat decisions. The Board is the custodian of this Constitution and is the body through which Constitutional amendments are ratified. During the founding period, the responsibilities of the Oversight Board are exercised by the Founding Secretariat as set out in Section 6.
The Panel of Advisors is the normative review body of the CIAO Standard. The Panel reviews Material and Structural change proposals affecting Advisors’ declared domains. The Panel is composed of seated Advisors with declared domain coverage and seated under conflict-of-interest recusal terms set out in the Charter.
The Secretariat is the operating body of the CIAO Standard. The Secretariat operates the change management workflow, manages the Release Calendar, runs the editorial function, executes publication, and dispatches notifications. The Secretariat does not author normative content; it manages the flow of normative content through the workflow.
The Membership is the body of paid-tier members (Core through Conglomerate) of the CIAO Standard. Membership confers reading rights according to tier scope, contribution rights through the Editorial Submission Framework, notification rights for material and structural changes affecting member portfolios, and standing to appeal Secretariat decisions to the Panel.
The four bodies operate in a specific authority relationship: the Membership and the Practitioner pipeline supply input; the Panel reviews; the Oversight Board approves Structural change; the Secretariat operates. No body has authority to reach into another body’s authority without going through the procedures set out in the Charter and this Constitution.
3. Foundational Commitments
The CIAO Standard makes four foundational commitments to its members and implementers. These commitments may be elaborated in the Charter and the administrative instruments but cannot be diluted, narrowed, or qualified without Constitutional amendment.
Commitment of stability. The Standard’s normative content does not change between major releases except through the procedure set out in the Change Management & Versioning Process. Members can rely on a published document’s normative requirements remaining in force for the duration of its release window.
Commitment of transparency. Changes are published before they bind. The Release Calendar is published. The change pipeline is visible. Members are notified of upcoming changes that materially affect their implementation, with adequate lead time to adapt.
Commitment of attribution. Practitioner contributions accepted into the Standard are attributed in the change log according to the contributor’s stated preference (public, tier-level, or anonymised). Contributions are not absorbed silently; the Standard publicly acknowledges the source class of each accepted contribution.
Commitment of volunteer integrity. No body member, no Advisor, no Secretariat staff, and no commercial partner receives privileged change rights through their position. Substantiveness is the only acceptance criterion for contributions; commercial relationship to the Standard is not a basis for editorial preference. The detailed terms of volunteer governance are set out in the Volunteer Contribution & Compensation Disclosure.
4. Member Rights
Every member of the CIAO Standard, at any tier, holds the following rights, which cannot be removed except by Constitutional amendment.
The right to read the Standard at the access scope corresponding to the member’s tier. Tier scope cannot contract within a major release window.
The right to receive notification of material and structural changes affecting the member’s tier scope or selected source-standards portfolio, with the lead time set out in the Change Management Process.
The right to contribute to the Standard through the Editorial Submission Framework at the channels available to the member’s tier, within the tier-bounded submission scope set out in that Framework, and with the attribution rights set out in that Framework.
The right to appeal a Secretariat decision (triage classification, scope determination, contribution rejection) to the Panel of Advisors. Appeals are heard within the cadence set out in the Charter.
The right to terminate membership at any time, on notice consistent with the membership’s payment terms, without forfeiture of attributions for prior accepted contributions.
The right to expect that membership commitments are honoured by the Standard’s bodies, and to seek written explanation where they are not.
5. The Standard’s Independence
The CIAO Standard is published as an independent framework. It is not the property of any single commercial entity, regulatory body, or geographic jurisdiction. The Standard’s continuity is protected against four forms of capture:
Commercial capture. No commercial partner may exercise editorial control over the Standard’s normative content. Partner relationships are operated under the Partnership Guidelines and the Multitier Licensing instrument and do not confer change rights.
Regulatory capture. The Standard maps to regulatory regimes through the Canonical Source Standards Register but is not subordinated to any one regulatory regime’s authority. Where a regulatory regime evolves, the Standard adapts through the Change Management Process; the regulatory regime does not have direct editorial authority over CIAO content.
Jurisdictional capture. The Standard operates internationally. The Source Standards Register includes regulatory regimes from multiple jurisdictions; no single jurisdiction’s regulator holds authority over the Standard’s content. The Standard’s bodies are seated with regional balance per the Charter.
Personal capture. The Standard’s bodies operate under term limits, succession provisions, and conflict-of-interest recusal as set out in the Charter. No single individual — Founder, Advisor, Secretariat staff — may exercise indefinite authority over Standard direction.
These four capture-resistance commitments are operationally elaborated in the Charter and in the Code of Practice. This Constitution states them at the principle level; their elaboration belongs in the operating instruments.
6. Founding Period
The CIAO Standard is in its founding period. The founding period begins with the publication of the Standard at v1.0 (1 January 2026) and ends on the formal seating of the Oversight Board.
During the founding period, the following adjustments to the body structure described in Section 2 apply.
The Founding Secretariat exercises operating authority and, by transitional necessity, the Structural-change approval authority that will move to the Oversight Board on its seating. Structural changes made during the founding period are published with an explicit “founding-period structural change” note and are subject to ratification by the Oversight Board within ninety days of seating.
The Panel of Advisors operates partially seated, with the Founding Secretariat empowered to route proposals to closest-domain Advisors with written rationale where the affected domain is not yet seated. The founding-period Panel does not have less authority within its seated scope than a fully-seated Panel; the limitation is one of coverage, not of weight.
The Membership operates from registration onwards. Member rights in Section 4 apply from the membership’s commencement. Where an instrument referenced in Section 4 (e.g., the Practitioner Submission form) is not yet implemented, transitional provisions in that instrument’s text describe how the underlying right is honoured pending implementation.
This Section 6 sunsets when the Oversight Board is formally seated. The sunset is automatic; no separate Constitutional act is required.
7. Constitutional Hierarchy
The CIAO Standard has four document classes in a strict hierarchy:
Class A — Constitutional. This document. Amendable only by the procedure of Section 11.
Class B — Foundational governance. The Governance Charter, the Code of Practice, the Volunteer Contribution & Compensation Disclosure, the Multitier Licensing instrument, the Usage Terms, the Membership Guidelines, the Partnership Guidelines, the Practitioners Guidelines, the Panel Advisor Guidelines, and the Canonical Source Standards Register. The Register is Class B foundational because it defines the authoritative scope of normative reference for the entire Standard: amendments to CIAO content may engage only standards in the Register, and proposals engaging unregistered standards are escalated as Register Addition Requests under the Change Management Process. Class B documents are amendable through the Change Management & Versioning Process at Material or Structural category, depending on the change.
Class C — Administrative instruments. The Change Management & Versioning Process, the Editorial Submission Framework, the Footer Metadata System, the Release Calendar, the Quarterly Errata & Submission Summary. Amendable through the Change Management & Versioning Process at Functional or Material category, depending on the change.
Class D — Standard content. The CAO domain content, the Aggregate Frameworks, the Manuals, the Tier Profiles, and the source-standard mapping pages. Class D content is authoritatively scoped by the Class B Source Standards Register: every normative reference in Class D content engages a standard listed in the Register, and the patented mapping methodology is the means by which that scoping is compiled. Amendable through the Change Management & Versioning Process at any category appropriate to the change.
Conflict resolution: where any document at Class B, C, or D conflicts with a Class A provision (this Constitution), the Constitution prevails. Where any document at Class C or D conflicts with a Class B provision, the foundational governance document prevails. Where any document at Class D conflicts with a Class C provision, the administrative instrument prevails. Within each class, conflict is resolved by the more recent publication, with the prior version held in version history.
8. The Editorial Voice
The Standard’s published documents speak with a single editorial voice. The voice is normative without being authoritarian; it is grounded in practitioner experience without being colloquial; it is technically precise without being inaccessible.
The Editorial function within the Secretariat maintains the voice. Where a contribution is accepted into the change pipeline and rendered into a published document, the Editorial function adapts the contribution’s wording to the editorial voice without altering the contribution’s substance. The contributor retains attribution; the Editorial function retains voice.
This single-voice commitment exists because a Standard is read across decades and across jurisdictions, and a Standard whose voice changes from section to section is harder to operate than one whose voice is consistent. The discipline is the point.
9. Languages
The CIAO Standard is published in English. English is the canonical language of the Standard. Translation into additional languages is a Material change under the Change Management Process and is performed by the Editorial function (or by a sub-function thereof) under the editorial-voice discipline of Section 8.
Where the Standard is published in additional languages, the canonical English version prevails over translations in cases of ambiguity, until the ambiguity is resolved through editorial patch.
10. The Standard’s Position
The CIAO Standard stands as a peer to the international body of management-system standards, governance frameworks, and information-assurance practice. It is not a derivative of, an interpretation of, or a profile of any other standard. Its content is its own.
The Standard cites other standards because cross-standard mapping is the Standard’s value proposition: to give an implementing organisation a single, coherent framework against which their existing obligations under multiple regulatory and standards regimes can be operated and evidenced. The Canonical Source Standards Register is the formal expression of this citation. Citation is integrative, not deferential.
Where the Standard’s structural choices align with traditions in the broader field — the management-system structure, the policy-control-evidence ladder, the risk-based decision frame — that alignment is by deliberate convergence with what works, not by inheritance. Where the Standard departs from established convention — the CAO domain spine; the tier-content depth ladder; the Open-Domain / Sector-Profile distinction within the Effective Control Framework; the dynamic source-standards selection model; the practitioner-contribution-as-input philosophy — the departure is by design and is the Standard’s own contribution.
The Standard’s bodies engage with adjacent standards-bodies through the source-standard re-issue trigger and through informal consultation as appropriate, but the Standard’s editorial direction is set by its own bodies under this Constitution. No external standard-body holds authority over CIAO content.
11. Amendment Procedure
This Constitution at v1.0 is ratified by the Founding Secretariat under the founding-period authority codified in Section 6. Subsequent amendments to this Constitution may be made only through the following procedure.
Initiation. A Constitutional amendment proposal may be initiated by the Oversight Board (on its formal seating), by a Panel resolution carried by no fewer than two-thirds of seated Advisors, or by a Secretariat-initiated proposal supported by written endorsement of no fewer than two-thirds of seated Advisors. During the founding period, the Founding Secretariat may also initiate; founding-period initiations are subject to subsequent ratification under Section 6.
Public consultation. A Constitutional amendment proposal is published for public consultation for no fewer than one hundred and twenty days. The consultation is open to members, Practitioners, partners, and the public. All substantive consultation responses are published with the final consideration of the proposal.
Panel consideration. The Panel of Advisors considers the proposal in plenary session at the close of the public consultation period. The Panel’s consideration produces a written report recommending acceptance, modification, or rejection, with the report published as part of the consultation record.
Oversight Board ratification. The Oversight Board ratifies (or rejects, or returns for further consideration) the proposal by majority vote of seated Board members, where the majority must include at least three of the Board’s seated members. If the Board returns the proposal for further consideration, the consultation process restarts at Public consultation.
Publication. A ratified amendment is published as the next version of this Constitution with full version history, change-log entry, and member notification.
The amendment procedure cannot be amended except by a Constitutional amendment satisfying its own current procedure. The amendment procedure is recursively self-protected.
Part of the CIAO Standard administrative instruments — see Standard Administration for the canonical index of operational policies and processes.
Part of the CIAO Standard architecture — see Standard Architecture & Tier Content Depth for the canonical domain spine and tier-by-tier content ladder.