The CIAO Standard Practitioner services are delivered exclusively through our certified partner network. This page sets out the requirements, structure, and commercial framework for individuals seeking to become CIAO Standard Practitioners. A CIAO Standard Practitioner membership programme opens up further credibility in the combined information assurance discipline and skills marketability. Interested in being a CIAO Standard Practitioner member, please watch this space for developments in our Practitioner membership programme.
1. Purpose and Scope
This guideline document, provides the requirements for Practitioner members within the C-AO.com ecosystem. It also provides the Practitioner scoping and agreement expectations, and a listing of Practitioners below.
2. Approach to Use to be a Practitioner
Consider experience, scale, and scope of the CIAO Standard implementation. The CIAO Practitioner Levels are at a minimum a 1:1 mapping to CIAO Membership tiers. Alternatively, a Practitioner Level could mean being able to practice in more than one Membership Tier. A minimum ratio of trained Practitioners to Employees of at least 1:100. The Practitioner qualifications are described below per Practitioner Level Tier.
Being a Practitioner means that an individual has the necessary training, skill, and real-life implementation practice in organisations of scope up to the highest corresponding membership tier.
For Practitioners above Commons Practitioner level, proof on an annual basis must be submitted showing sufficient evidence of being employed by a corresponding CIAO member organisation and of have a job role with significant CIAO responsibilities or influence.
2.1. The CIAO Commons Practitioner Level
The CIAO Standard Commons Practitioner level is for Practitioners that are Individuals who would primarily be employed by, or consult to, the CIAO Commons membership market.
The Practitioner’s Employer organisation or Contracted consulting engagement organisation must be at least subscribed to the CIAO Commons membership tier and;
- confirm that the Practitioner is also a member user, and
- confirm the Practioner’s job role involves CIAO related implementation, and
- confirm scope and time period of such expected work, and
- confirm that the Practitioner will complete updated CIAO respective training.
0% commission unless higher membership tiers are purchased within the first year of membership. Commissions on first year membership upgrades will be as per the Practitioner levels below, divided by 100 to the Practitioner that has introduced or upgraded their organisation through the CIAO Standard Partner and confirmed membership tier subscribed to.
2.2. The CIAO Core Practitioner Level
The CIAO Core Practitioner level is for individuals who would primarily be employed by, or consult to, organisations in the CIAO Core membership market (1–10 employees). The Practitioner’s employer or contracted organisation must hold at least a Core membership and confirm the Practitioner’s role involves CIAO-related implementation. Qualification criteria and commission structure for this level are currently being formalised. Registration of interest opens when this tier becomes active.
2.3. The CIAO Essential Practitioner Level
The CIAO Essential Practitioner level is suited to individuals consulting to or employed by small-to-medium organisations (10–100 employees) building structured governance foundations. The Practitioner’s employer or contracted organisation must hold at least an Essential membership. Qualification criteria and commission structure for this level are currently being formalised. Registration of interest opens when this tier becomes active.
2.4. The CIAO Professional Practitioner Level
The CIAO Professional Practitioner level is suited to governance consultants and compliance professionals serving mid-sized organisations (100–1,000 employees) managing multiple frameworks simultaneously. The Practitioner’s employer or contracted organisation must hold at least a Professional membership. Qualification criteria and commission structure for this level are currently being formalised. Registration of interest opens when this tier becomes active..
2.5. The CIAO Enterprise Practitioner Level
The CIAO Enterprise Practitioner level is suited to senior compliance professionals and governance leads serving large organisations (1,000–10,000 employees) with complex, multi-framework programmes. The Practitioner’s employer or contracted organisation must hold at least an Enterprise membership. Qualification criteria and commission structure for this level are currently being formalised. Registration of interest opens when this tier becomes active.
2.6. The CIAO Conglomerate Practitioner Level
The CIAO Conglomerate Practitioner level is for senior practitioners advising organisations of more than 10,000 employees, or multi-entity conglomerates spanning multiple jurisdictions. The Practitioner’s employer or contracted organisation must hold a Conglomerate membership. Qualification criteria and commission structure for this level are currently being formalised. Registration of interest opens when this tier becomes active.
3. The C-AO.com Practitioners
The C-AO.com Practitioners are listed below (with their highest Practitioner level only, sub-levels per Practitioner are not listed).
APAC
LATAM
NORAM
Enterprise and Conglomerate implementation content will be added here.
4. Professional Conduct and Standing
4.1 Standards of Professional Practice. A CIAO Standard Practitioner acts with competence, honesty, and confidentiality in all engagements. Practitioners apply the Standard in the best interests of the client, maintain technical currency through continuing professional development, and disclose conflicts of interest at the earliest opportunity. Practitioners represent the Standard truthfully and do not overstate their certification scope, the maturity of the Standard’s provisions, or their individual authority within it.
4.2 Certification Pathway. Certification of CIAO Standard Practitioners is structured across the Commons, Core, Essential, Professional, Enterprise, and Conglomerate levels set out in Section 2. The examination, competency framework, accredited training requirements, and recertification cycle are under development and will be published on this page ahead of each cohort. The inaugural certification cohort is targeted for 2028, coinciding with the inaugural CIAO Conference and the inaugural issue of the CIAO Journal, so that the first cohort of certified Practitioners is visible within the first annual cycle of the Standard’s convening and publication activities. Individuals and partner organisations may register expressions of interest ahead of the inaugural cohort.
4.3 Continuing Professional Development. Certified Practitioners submit an annual CPD attestation to the Secretariat, confirming continued engagement with the Standard, relevant practice, and the wider field of information assurance governance. The attestation format is published ahead of each annual cycle. Practitioners who do not submit an attestation within the specified window are placed on inactive status and removed from the public Register until the attestation is submitted.
4.4 Register of Practitioners. The Secretariat maintains a public Register of certified CIAO Standard Practitioners. The Register records the practitioner’s name, certification level, certification date, sectoral experience, and jurisdictional focus where the practitioner consents to its publication. The Register is searchable by certification level, sector, and jurisdiction. Practitioners on inactive status, or whose certification has been suspended, revoked, or withdrawn, are removed from the Register accordingly. The Register is published openly as a credibility signal for clients engaging CIAO implementation services.
4.5 Disciplinary Process. Allegations of misconduct against a certified Practitioner — including breach of confidentiality, misrepresentation of the Standard, breach of the Code of Practice, or conduct damaging to the integrity of CIAO — are referred to the Oversight Board. Disciplinary matters are handled under Code of Practice Article 7 and Governance Charter Article 5.10. Proportionate sanctions include written warning, mandatory remediation, suspension of certification, revocation of certification, and public notice of revocation. A sanctioned Practitioner may appeal once to the full Oversight Board within thirty (30) days of the decision.
4.6 Ethics Declaration. Certified Practitioners submit an annual declaration of compliance with the Code of Practice, alongside the CPD attestation. The declaration is a condition of remaining on the Register. Material misstatement in an ethics declaration is itself a disciplinary matter under clause 4.5.
5. Engagement and Boundaries
5.1 Dual Position. A CIAO Standard Practitioner is certified as an individual. For client engagements delivered in the name of the Standard, the Practitioner must be affiliated with a certified CIAO Partner. The certification attaches to the individual; the commercial engagement attaches to the Partner. A Practitioner may move between Partners without affecting their individual certification, subject to notification of the Secretariat for the purposes of the Register.
5.2 Client Confidentiality. Practitioners hold all client information received in the course of an engagement in strict confidence, and do not disclose client information outside the engagement without the client’s written consent. This obligation survives the termination of the engagement and the Practitioner’s affiliation with the engaging Partner.
5.3 Independence from Commercial Incentives. Where a Practitioner renders a professional opinion in the name of the CIAO Standard — including gap assessments, compliance findings, framework mappings, and implementation recommendations — the opinion reflects the Practitioner’s independent judgement under the Standard. The Practitioner does not adjust professional opinions to favour the commercial interests of the engaging Partner. Where a Partner’s commercial offering is relevant to an implementation recommendation, the Practitioner discloses the Partner’s interest.
5.4 Conflict-of-Interest and Recusal. Practitioners declare personal, familial, or financial interests that could reasonably be perceived as influencing a professional opinion rendered under the Standard, and recuse themselves from matters where the conflict cannot be satisfactorily managed through disclosure alone. Declarations are made to the engaging Partner at the outset of each engagement and updated as circumstances change.
5.5 Separation from Panel Advisor Role. Where a Practitioner also serves on the Panel of Advisors, the two capacities are treated as separate. Advisory opinions issued through the Panel are not influenced by the Practitioner’s client engagements, and a Practitioner’s client work is not influenced by confidential matters considered by the Panel in advisory or editorial session. The Practitioner observes the recusal obligations of both roles concurrently.