The CIAO Open Principles establish the foundational values governing how CIAO approaches information assurance compliance. These principles are designed to make structured governance accessible, proportionate, and operationally sustainable for organisations of all sizes. They reflect the academic research and professional experience underpinning the CIAO Standard, and are published openly under Creative Commons CC BY-SA 4.0 as part of the CIAO Commons tier.
This approach can extend into the wider organisational required compliance domains. The principles below aim to disrupt and disintermediate the overwhelming bureaucracy, effort, and costs of compliance that are spiraling out of reach of the average organisations capabilities.
Standards organisations, Privacy and Security Gurus might disagree with this approach because it might risk the Standards industry related revenues and result in decreased compliance spending.
These open principles are to be updated as part of the CIAO Standard (herein referred to as CIAOs) for Open Principles, for ease of reference;
CIAOs.OP.1: Private Data
OP1.1. Collection of Private Data – Don’t collect private data unless this is a desperate need to make the business process work. If collected, have an identification, recording, notifying and removal process for exactly the part within the business process it is needed for.
OP1.2. Segregating Private Data – Understand the definition of private data based on your Information Compliance Universe (ICU). Segregate logical units of private data to split identification risks into separate information stores. If data is not linked, and someone who sees a piece of it cannot join the dots back to a person, then it is not personally identifiable information.
CIAOs.OP.2: Confidential Data
OP2.1. Classification of Confidential Data – Don’t classify everything confidential. Have a process that validates that only real company intellectual property is classified confidential. Source and reference public data from acceptable standard practices.
OP2.2. Appropriating Standard Data – If your policies and processes are copying Standards data, then these are not your Intellectual Property (IP). If the only thing on top of standard statements are there is your logo, then don’t classify it confidential IP. Have a more detailed organisation integrated document that does not repeat Standard statements and then call that IP.
CIAOs.OP.3: Protecting Data
OP3.1. Scoping Data Protection – Don’t protect all your data with advanced security toolsets. If only validly confidential and private data is isolated and stored in restricted areas then security becomes cheaper.
OP3.2. Data Loss Prevention (DLP) – Don’t protect all your data with Data Loss Prevention expensive tools. Apply the DLP policies to only the segregated/isolated sensitive information stores. If you using Public classified data then there is nothing to worry about losing.
OP3.3. Data Encryption Differentiated (DED) – Ensure that sensitive information are stored in easy to identify information stores, and respective communication mechanisms, that can be under the radar of differentiated security encryption policies. Encrypting all data may not make sense considering most of the data in the total set of data may not be sensitive at all.
OP3.4. Information Asset Agnostic – Don’t waste time defining every information asset, as some standards require. Information Assets are defined so widely causing enterprise grade security requirements on any information that can be seen as adding value to the business. Create Information Stores with specific sensitivity labels and security policies that automatically apply to information assets dropped in. This way it is the delegated authority that applies the sensitivity and not some automated expensive tool.
CIAOs.OP.4: Policy Design
OP4.1. Proper Delegation and Approval – Don’t give all level policy and process documents to the Board or Executive Committees to approve, they do not know what is going on in the operational detail. High level policies are standards driven, organisations do not actually approve the content, they approve that it is being used to achieve a goal. Clearly indicate minimal approval only and ensure hierarchical delegation is part of policy design.
OP4.2. Hierarchical Delegation Policy Design – Policy creation and update must ensure unbroken strategic alignment to organisational ethics and objectives. If a level 1 policy is to be signed by the board, then they must be comfortable that level 2 sub policies and level 3 processes and level 4 procedures and so on signed by respectively more operational managers sill achieve the same organisational ethics and objectives as the level 1 policy that they review and sign.
CIAOs.OP.5: Emerging Technology
OP5.1. Emerging Technology Framework Adoption – Adopt a framework that is simple and understood at every stage of implementation.
OP5.2. AI Framework Adoption – Adopt an AI framework that ensures your survival. This can be a extensive and costly mistake if ignored or incorrectly implemented. Use a simple framework that is understood from Board level to AI operational implementation level, such as the SHIFT-AI model or others that implement FAIR Principles.
CIAO Open Principles Disclaimer
The principles above reflect the opinion of C-AO.com’s highly experienced experts. These principles are not law nor directives for you to implement without reasoning applicability to your organisational context.
© 2026 [C-AO.com].
This open version of the CIAO Standard is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License
.
You are free to share and adapt this material for any purpose, even commercially, provided that you give appropriate credit, provide a link to the license, and indicate if changes were made. If you remix, transform, or build upon this material, you must distribute your contributions under the same license as the original.
Enterprise and Conglomerate implementation content will be added here.