Frequently Asked Questions

Frequently Asked Questions

Everything you need to know about CIAO Core — what it is, how it works, and how your organisation can benefit.

What is CIAO Standard?

CIAO Core — the Common Information Assurance Oversight Standard — is a compliance meta-standard that maps leading frameworks into a single coherent structure. Rather than managing each framework separately, CIAO gives your organisation one unified reference point that satisfies multiple compliance obligations simultaneously. The frameworks covered grow with your membership tier, and all mappings are maintained as standards evolve and are revised over time.

What does CIAO stand for?

CIAO is an acronym for Common Information Assurance Oversight Standard. The name also carries a deliberate resonance with information security: it extends the classic CIA triad — Confidentiality, Integrity, and Availability — by adding a fourth dimension, Operations, reflecting that compliance must sustain governance across the entire organisation, not just protect data. The name CIAO captures both the standard’s scope and its philosophy in one word.

Is CIAO Standard an official certification body?

CIAO Standard is a governance and compliance reference framework, not a certification body. It does not issue ISO certificates or replace accredited auditors. Instead, it provides the structured policy and control documentation that helps your organisation prepare for and maintain compliance with recognised standards. Think of it as the intelligence layer that sits behind your compliance programme.

Which frameworks does CIAO map to?

CIAO Standard maps to a growing library of frameworks and regulations. The frameworks included in your mapping coverage depend on your membership tier — each tier unlocks a broader set of aligned standards. All mappings are actively maintained and updated as frameworks publish new versions or revisions, so your compliance posture stays current automatically.

• Commons tier: Access to foundational open governance documents aligned to core principles of ISO/IEC 27001 and NIST CSF.
• Standard & Essential tiers: Expanded mappings including GDPR, POPIA, and additional control domains across ISO 27001:2022 and NIST CSF 2.0.
• Professional tier: Broader framework coverage including SOC 2 Type II alignment and sector-specific guidance.
• Enterprise & Conglomerate tiers: Full framework library including COBIT 2019, emerging standards, and newly ratified frameworks as they are published.

New framework mappings are added as standards are ratified and as the CIAO Standard library grows. Members always have access to the most current version of all mappings within their tier — no manual updates required.

Who is CIAO Standard designed for?

CIAO Standard is designed for small and medium-sized organisations, compliance professionals, governance teams, and managed service providers who need to demonstrate multi-framework compliance without the overhead of maintaining separate documentation sets for each standard. It is particularly well-suited to organisations that face external audit requirements but lack a dedicated compliance department.

What is the difference between the membership tiers?

CIAO Standard offers six membership tiers to match different organisational needs and budgets:

• Commons — Free public access to open governance documents and the CIAO self-assessment tool.
• Core — Entry-level access to core policy templates and framework mapping previews.
• Essential — Full access to the Organisational Policy Framework (OPF) and essential control documentation.
• Professional — Extended access including the Enterprise Control Framework (ECF) and implementation guidance.
• Enterprise — Full platform access with white-label options and dedicated support.
• Conglomerate — Multi-entity access for organisations managing compliance across multiple subsidiaries or divisions.

Can I reference CIAO policies in external audits?

Yes. One of the core use cases for CIAO membership is the ability to reference CIAO Core policies directly to external auditors. Members receive structured, versioned policy documents that are designed to be audit-ready. This means your organisation can point an auditor to a CIAO-compliant policy set rather than producing documentation from scratch for each audit cycle.

Is my data safe on the CIAO platform?

Yes. The CIAO platform is built on a secure, access-controlled infrastructure. Member content is protected by role-based access and encrypted connections. The platform itself adheres to the same principles it promotes — the CIAO standard is practiced, not just preached.

How do I get started?

Start with the free Commons tier to explore the open governance documents and complete the CIAO self-assessment. When you are ready to access the full framework, choose the membership tier that fits your organisation and register through the membership portal. If you are unsure which tier is right for you, the self-assessment tool will recommend the most appropriate starting point.

How do I contact CIAO Standard?

For membership enquiries, partnership discussions, or technical support, please use the contact form available on this site. All enquiries are handled by the CIAO Standard governance team and responded to within 2 business days.

Choosing Your Tier

Which CIAO tier should my organisation start with?

Start at the tier that matches your present compliance maturity, not the tier that matches your ambition. An organisation of 30 people with no existing policy framework should begin at Commons to understand the architecture, then move to Core or Essential. Tier inheritance means every paid tier includes everything beneath it — so moving up never means losing what you have already built. The Compliance Readiness Self-Assessment, linked from the homepage, walks you through the three decision factors (size, maturity, regulatory exposure) and recommends a tier in under five minutes.

Can we skip tiers — can a 500-person organisation go straight to Enterprise?

Yes, and sometimes that is the right decision. Tier selection is not obligatory progression; it is fit-to-requirement. A 500-person organisation with existing ISO 27001 certification, active compliance staff, and multi-framework obligations typically belongs at Enterprise from day one. What matters is whether the organisation can absorb and operate the tier’s content, not whether it has moved through intermediate tiers. If in doubt, speak with the Secretariat before selecting.

What does “per user” mean in the pricing?

A user is an individual named person with access to your organisation’s CIAO membership environment — typically compliance staff, internal auditors, or departmental policy owners. Users are not end-employees of your organisation; your employees do not need individual CIAO accounts to benefit from the policies you deploy. Enterprise and Conglomerate tiers are priced per organisation with unlimited users, removing per-user friction at scale.

Do we need to buy CIAO for every subsidiary in our group?

Not if you operate at Conglomerate tier. Conglomerate is structured around your organisational architecture specifically — one engagement covering your group structure, jurisdictions, and subsidiaries under an integrated compliance infrastructure. For group structures below the Conglomerate threshold, each subsidiary selecting an Enterprise or lower tier is the standard approach, with the Secretariat available to coordinate group-wide consistency if helpful.

What if our regulator requires a specific named framework CIAO does not yet map?

Raise it with the Secretariat. CIAO’s framework coverage grows continuously; new mappings are prioritised by member demand, regulatory materiality, and the Panel of Advisors’ judgement on substantive overlap with existing coverage. Your request is logged, considered, and you are notified when a mapping is published. Nothing in CIAO prevents your organisation from using CIAO as its structured backbone while layering a specific regulator’s requirements on top.

Implementation and Evidence

How long does it take to deploy CIAO in our organisation?

Commons and Core are same-day operational — the policies are pre-written and deployable as-is. Essential and Professional tiers typically reach operational state in two to eight weeks depending on existing governance maturity and the number of business units involved. Enterprise-scale deployment varies with organisational complexity and whether existing frameworks are being consolidated; six to twelve weeks is typical. CIAO’s design goal is to compress deployment time by eliminating the policy-drafting phase of compliance work.

What evidence does CIAO give us for auditors?

Every policy and framework deployed through CIAO is written to satisfy auditor evidence expectations directly. Core and Essential tier policies are classified PUBLIC — meaning you share them with auditors, clients, tender committees, and supply chain partners without redaction. Higher tiers add operational framework documentation (ICU, ECF, IMS manuals) that supplies the procedural and control-level evidence auditors require. The Document Registry indexes what exists, and forthcoming work maps each document to minimum viable evidence expectations per audit framework.

Does CIAO replace our existing compliance team?

No. CIAO removes the documentation-drafting burden and the cross-framework normalisation burden from your compliance team so that their time concentrates on judgement-requiring work — risk analysis, incident response, regulator engagement, strategic alignment. Organisations that deploy CIAO typically reallocate compliance staff time upward, not downward. The Standard is a productivity multiplier on your existing team, not a substitute.

Can we modify CIAO policies for our context?

Yes. The content you receive is licensed under tier-appropriate terms (detailed on the Multitier Licensing page). You adapt organisational names, jurisdictional references, and scope statements to fit your context. You do not republish modified CIAO content as original or redistribute it outside your organisation’s scope, and you retain the attribution and licensing notices where required. The Multitier Licensing page sets the exact permitted-use boundaries per tier.

What happens when frameworks we rely on are updated?

CIAO maintenance tracks underlying frameworks as they publish revisions — ISO 27001:2022 replacing 27001:2013, NIST CSF 2.0 replacing 1.1, GDPR guidance updates, national data-protection amendments, and so on. Updated mappings publish automatically to your tier. Your organisation does not need to track framework revisions independently; CIAO absorbs the tracking work so your policy suite stays current without your intervention.

Governance and Membership

Who governs CIAO?

CIAO is maintained by the CIAO Standard Secretariat under the terms of the published Governance Charter. The Standard’s normative content is overseen by the CIAO Oversight Board, which governs all mandatory content and approves material changes. An international Panel of Advisors provides expert review across the Standard’s nine governance domains and contributes to editorial oversight of the Governance Journal and Annual Conference. Each of these bodies has a published mandate and transparent operating rules.

How is CIAO funded?

CIAO is funded by tier membership revenue. There are no advertiser relationships, no paid-placement arrangements in the Standard’s content, and no hidden sponsorship. The Commons tier is permanently free and funded by paid-tier revenue as a public-good contribution. This funding model is designed to keep the Standard’s normative decisions independent of any single commercial interest — the incentive alignment is toward the Standard’s long-term credibility, not short-term revenue.

Can we pay in local currency, and how do refunds work?

Pricing is denominated in Euros. Payment in major currencies is accepted via standard processors; invoicing in local currency is available for Enterprise and Conglomerate engagements by arrangement. Refunds within the first 30 days of paid-tier activation are available at full value, with a pro-rated refund schedule thereafter per membership terms. Enterprise and Conglomerate engagements follow contract-specified terms. Full terms live on the Usage Terms page.

Practitioners, Partners, Certification

How do I become a CIAO Practitioner?

The Practitioner certification programme opens with its inaugural cohort in 2028. Until then, organisations and individuals interested in Practitioner-level recognition can register interest via the Practitioners Guidelines page. The programme covers the CIAO architecture, deployment practice, framework mapping, and ongoing maintenance discipline. A continuing professional development attestation, a public Register of certified Practitioners, and a defined disciplinary process are all part of the programme design. Full syllabus and fee structure publish ahead of each cohort.