1. Why Architecture Matters
The CIAO Standard’s promise to its members is depth — a documented progression from foundational reference Manuals at the Core tier through to bespoke group-level extensions at the Conglomerate tier. The canonical tier comparison sets out what each tier costs and unlocks. This page sits beside it and explains how the unlocks are structured: the architectural spine that organises CIAO content, the artefact types that populate that spine, and the relationship between tier price and content depth.
Members reading this page should leave with a clear answer to three questions: what does CIAO content look like at every level of detail; which artefacts a given tier exposes; and how source-standards mapping overlays this architecture so that organisations adopting different standards portfolios see relevant content first.
2. The CAO Domain Spine
CIAO content is organised across nine canonical CAO domains. Each domain represents a coherent area of organisational governance — information security, data protection and privacy, governance and risk, business continuity and disaster recovery, vendor and third-party risk, and so on through the canonical set. Domains are numbered consecutively (CAO-000, CAO-100, CAO-200, and onward), creating a stable referenceable spine that is independent of tier and of source-standards portfolio.
Within each domain, content is layered from the most strategic to the most operational. The numbering convention extends below the domain root to denote artefact type: the X00 root anchors the domain Manual, X01 anchors the domain’s Operating Policy Framework, X02 anchors its Enterprise Control Framework, X10 through X90 anchor Sub-Policies, two-digit anchors below those denote Processes, three- and four-digit anchors denote Procedures, and the deepest tier anchors Implementation artefacts. The numbering is not tier-dependent; the same artefact carries the same identifier whether seen by a Core member or a Conglomerate member. What changes between tiers is which artefacts are visible at all.
3. The Content Ladder
Each CAO domain contains the following artefact types, in order of increasing operational specificity:
Manual. The foundational reference document for the CAO domain. Defines scope, terminology, and core concepts. Sets the conceptual frame against which all other artefacts within the domain are interpreted. There is one Manual per CAO domain.
Operating Policy Framework (OPF). Articulates the organisational policy positions for the CAO domain. The OPF sets out what the organisation has decided to do as a matter of policy, expressed in language suitable for executive sign-off and for downstream operational interpretation.
Enterprise Control Framework (ECF). Translates policy positions into specific control requirements. Each control is identified, scoped, and made auditable. The ECF is the bridge between executive policy commitment and operational implementation.
Sub-Policies. Where a CAO domain spans multiple operationally distinct sub-areas, Sub-Policies refine the OPF for each sub-area. Each Sub-Policy carries its own Sub-Policy ECF where appropriate, allowing fine-grained control specification within the CAO domain.
Processes. The operational sequences through which controls are exercised. A Process describes the activity, its triggers, its participants, and its expected outputs. Processes are the operational expression of ECF requirements.
Procedures. Step-by-step instructional documentation derived from Processes. A Procedure is what an individual practitioner consults to execute the work; it is the most operational layer of routine documentation.
Implementation artefacts. Templates, checklists, registers, evidence schemas, and supporting documentation that practitioners use as they execute Procedures. Implementation artefacts are bundled into Implementation Documentation Frameworks (IDFs) for ease of distribution.
Aggregate frameworks (OPF, ECF, IDF). Cross-domain compositions that gather the per-domain artefacts of a given type into a single integrated reference. The Aggregate OPF presents all domain OPFs as one document; the Aggregate ECF presents all domain ECFs; the Aggregate IDF gathers all implementation artefacts. Aggregates are useful at the higher tiers where members operate across many or all CAO domains simultaneously.
Bespoke group-level extensions. At the Conglomerate tier, the architecture extends with bespoke artefacts authored against the specific scope, structure, and regulatory regimes of a holding group or multi-jurisdiction organisation.
4. What Unlocks at Each Tier
Commons. Members read the Standard itself and preview the structure of Manuals across all CAO domains. This is the discovery and evaluation tier; no artefact unlocks beyond preview.
Core. Members unlock the Manuals across all CAO domains. The full conceptual frame of the Standard becomes navigable; members can locate every domain and every domain’s structure.
Essential. Members add the Operating Policy Frameworks per CAO domain. Combined with the Core Manuals, this provides the policy-level architecture sufficient for an SME to articulate its governance positions across the canonical domains.
Professional. Members add the Aggregate OPF, the Sub-Policies across all CAO domains, the per-domain Enterprise Control Frameworks, and the Sub-Policy ECFs. The control architecture becomes auditable at depth; the ECF provides specific control IDs that integrate with internal audit programmes and external assessor work.
Enterprise. Members add the Aggregate ECF, the Processes across all CAO domains, the Procedures derived from those Processes, and the Aggregate Implementation Documentation Framework. The complete operational depth becomes available; large compliance functions can use the architecture as a directly deployable reference set.
Conglomerate. Members receive bespoke group-level extensions authored to their specific scope. The standard architecture remains as the canonical foundation; the bespoke extensions sit alongside it, addressing requirements specific to the group’s structure, jurisdictions, and regulatory regime.
5. Standards Mapping as an Overlay
The architecture described above is the CAO content spine. Members do not adopt CAO content in the abstract — they adopt it because their organisation is operating under one or more recognised source standards (ISO 27001, NIST CSF, GDPR, POPIA, COBIT, ITIL, SOC 2, sectoral regulation, and similar).
The Dynamic Selection Engine is the mechanism by which a member configures the source-standards portfolio relevant to their organisation. The Engine then exposes CIAO content with the relevant source-standard references surfaced. The same Manual, OPF, ECF or Sub-Policy may be viewed by two members operating under different portfolios; each will see the artefact alongside the source-standard mappings that pertain to their portfolio. The architecture is shared; the view onto it is configured per-member.
The Dynamic Selection Engine is available at every membership tier, from Commons through Conglomerate. The democratisation of standards mapping reflects the CIAO Standard’s accessibility commitment: organisations should not be priced out of the most fundamental capability of the architecture, which is knowing how their adopted standards relate to one another.
6. Choosing Your Tier
Tier selection follows two structural factors: the maturity target your organisation is working toward, and the depth of artefact your operational role requires. The canonical tier comparison captures both, providing per-tier guidance on organisation profile, compliance function, and content depth, and aligning each tier to a maturity progression range.
Members are not required to commit to the highest tier their organisation could justify. The intended trajectory is upward through tiers as the organisation’s compliance maturity grows. Core membership is the natural entry point for organisations beginning their governance journey; Essential membership marks the transition to a structured baseline; Professional, Enterprise, and Conglomerate memberships mark progressive depth of operational governance.
Licensed under Creative Commons CC BY-SA 4.0. CIAO Standard — Standard Architecture & Tier Content Depth — www.c-ao.com
Enterprise and Conglomerate-specific architectural extensions will be added here — bespoke artefacts, group-level mappings, multi-jurisdictional compositions.