Corporate Governance Policy

CIAO ESSENTIAL — POLICY
C-AO/POL/CAO-140:2026 PUBLIC
Corporate Governance Policy
CAO-100 Governance sub-policy (CAO-140) — auto-drafted, pending panel review
Date Issued  22 June 2026
Review Date  22 June 2027
Cite as: CIAO Standard. (2026). Corporate Governance Policy. v1.1.3.7. C-AO/POL/CAO-140:2026. www.c-ao.com

1 · Purpose

This policy establishes the requirements for corporate governance policy within the CAO-100 Governance. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.

2 · Scope

This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.

3 · Policy statements

3.x · CAO-140 Policy Controls

outlinesatisfies·solidpartial·greyinforms

The organisation shall establish, implement and maintain a coherent and effective approach to corporate governance, giving effect to the organisational control objectives set out below.

CCPACOBIT 2019COSO ERMDORAESRSG20/OECD PrinciplesGDPRISAE 3402 Type IIISO 22301ISO 28000ISO 9001ISO/IEC 27014ISO/IEC 27018ISO/IEC 27036-2ISO/IEC 38500ITIL 4King VNIS2NIST CSF 2.0NIST SP 800-53PAIAPIPEDAPOPIASOC 2 Type IISOX (Sarbanes-Oxley Act)UK Corporate Governance CodeUK GDPR

3.1 · CAO-141 Board Leadership and Accountability

The organisation shall establish, implement and maintain effective Board Leadership and Accountability, giving effect to the organisational controls set out below.

COSO ERMDORAESRSG20/OECD PrinciplesISAE 3402 Type IIISO 22301ISO 28000ISO 9001ISO/IEC 27014ISO/IEC 38500King VNIS2NIST CSF 2.0SOC 2 Type IISOX (Sarbanes-Oxley Act)UK Corporate Governance Code

3.1.x · CAO-141 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.2 · CAO-142 Governance Roles and Responsibilities

The organisation shall establish, implement and maintain effective Governance Roles and Responsibilities, giving effect to the organisational controls set out below.

COSO ERMG20/OECD PrinciplesGDPRISAE 3402 Type IIISO 28000ISO/IEC 27036-2King VNIST CSF 2.0NIST SP 800-53PIPEDAPOPIAUK Corporate Governance CodeUK GDPR

3.2.x · CAO-142 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.3 · CAO-143 Board Committees

The organisation shall establish, implement and maintain effective Board Committees, giving effect to the organisational controls set out below.

G20/OECD PrinciplesUK Corporate Governance Code

3.3.x · CAO-143 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.4 · CAO-144 Stakeholder and Shareholder Engagement

The organisation shall establish, implement and maintain effective Stakeholder and Shareholder Engagement, giving effect to the organisational controls set out below.

UK Corporate Governance Code

3.4.x · CAO-144 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.5 · CAO-145 Transparency and Disclosure

The organisation shall establish, implement and maintain effective Transparency and Disclosure, giving effect to the organisational controls set out below.

CCPACOBIT 2019COSO ERMESRSG20/OECD PrinciplesGDPRISAE 3402 Type IIISO/IEC 27018ISO/IEC 38500ITIL 4King VPAIAPIPEDASOC 2 Type IISOX (Sarbanes-Oxley Act)UK GDPR

3.5.x · CAO-145 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

4 · Roles & responsibilities

5 · Compliance, monitoring & review

Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.

● LIVE CONTENT  ·  Verified 11 July 2026 at 17:38 UTC  ·  Version 1.1.3.7  ·  Always current at c-ao.com  ·  © CIAO Standard Secretariat 2026

Cite this page (APA)