CIAO Core — the Common Information Assurance Oversight Standard — is built on a single principle: your organisation should not have to manage multiple separate compliance programmes when one well-structured framework can satisfy them all. CIAO maps to the most common frameworks and regulations in use today, and the breadth of that mapping grows with your membership tier as new frameworks are added and existing ones evolve.
How CIAO Framework Mapping Works
Each CIAO control domain is cross-referenced against the requirements of multiple frameworks. This means that when your organisation implements a CIAO control, it simultaneously contributes to compliance with all frameworks mapped to your tier — from ISO 27001 and NIST CSF through to GDPR, POPIA, and beyond. As your membership tier grows, so does the number of frameworks covered. And as those frameworks are updated and revised over time, CIAO Standard evolves with them — ensuring your compliance posture stays current without requiring you to start again.
CIAO Control Domains
CIAO Standard organises controls across six core domains, each corresponding to a critical area of organisational governance:
| CIAO Domain | Description |
|---|---|
| C — Confidentiality | Access control, data classification, identity management, and information handling policies. |
| I — Integrity | Change management, audit trails, data validation, and system integrity monitoring. |
| A — Availability | Business continuity, disaster recovery, redundancy planning, and service level governance. |
| O — Operations | Operational procedures, incident response, vendor management, and workforce governance. |
Framework Coverage Preview
The table below shows a representative sample of how selected CIAO controls align with requirements across four major frameworks. Full mapping documentation is available to Essential tier members and above.
| CIAO Control Reference | Control Summary | ISO 27001:2022 | NIST CSF 2.0 | GDPR | POPIA |
|---|---|---|---|---|---|
| CIAO-C-01 | Access Control Policy | A.5.15, A.8.2 | PR.AA-01 | Art. 25, 32 | Section 19, 22 |
| CIAO-C-02 | Data Classification | A.5.12, A.5.13 | ID.AM-05 | Art. 30 | Section 14 |
| CIAO-I-01 | Change Management | A.8.32 | PR.DS-08 | Art. 32 | Section 19 |
| CIAO-I-02 | Audit Logging | A.8.15, A.8.17 | DE.AE-03 | Art. 30, 33 | Section 22 |
| CIAO-A-01 | Business Continuity | A.5.29, A.5.30 | RC.RP-01 | Art. 32 | Section 19 |
| CIAO-A-02 | Backup and Recovery | A.8.13 | PR.DS-11 | Art. 32 | Section 19 |
| CIAO-O-01 | Incident Response | A.5.24, A.5.25 | RS.MA-01 | Art. 33, 34 | Section 22 |
| CIAO-O-02 | Supplier Management | A.5.19, A.5.20 | ID.SC-02 | Art. 28 | Section 21 |
This is a representative preview. The full CIAO framework mapping covers 60+ controls across all six domains. Framework coverage grows with your membership tier — Commons members access foundational mappings, while Essential, Professional, and Enterprise tiers progressively unlock deeper framework alignment including SOC 2 Type II, COBIT 2019, and newly ratified standards as they emerge. All mappings are maintained and updated as source frameworks publish revisions.
Why This Matters
Most organisations waste significant time and budget maintaining separate documentation sets for each framework they are required to comply with. A single change — such as a new access control policy — may need to be reflected across five different compliance registers. CIAO eliminates this duplication by providing a single master control set that is already mapped to all relevant frameworks.
For organisations facing their first external audit, CIAO provides an audit-ready policy library that can be referenced directly. For organisations already compliant with one framework, CIAO shows exactly which additional controls are needed to satisfy the next.
Access the Full Framework Mapping
The complete CIAO framework mapping — including all control references, implementation guidance, and evidence templates — grows with your membership tier. Commons members access the open governance foundation. Essential tier and above unlocks the full cross-framework control library. As frameworks are revised and new standards emerge, CIAO Core members receive updated mappings automatically — your compliance investment keeps pace with the world. Start with Commons for free →