Protected Framework
This framework is protected under CC BY-NC-ND 4.0 — patent pending. See Multitier Licensing.
🟢 Commons — Visible to all members
1. Purpose and Scope
- Defines the overall objectives of the ISMS and governance framework.
- Integrates ISO/IEC 27001, NIST CSF, GDPR, POPIA, HIPAA, Mauritius DPA, AU Convention 108+, PCI DSS, SOC 2, King IV/V, OECD, SEBI LODR.
- Establishes scope across information security, privacy, awareness, incident response, continuity, vendor oversight, acceptable use, cryptography, physical security, and HR security.
2. Governance and Accountability
🔵 Core — Core membership and above
🔒 Core membership required — Core membership required for IMS Lite Manual content.
Login
or become a member →
- Board oversight aligned with ISO/IEC 27001 Clause 5.1, King IV Principle 12, King V draft principles, UK Corporate Governance Code.
- Defined roles: CISO, Incident Response Manager, Business Continuity Manager, Vendor Risk Manager, Cryptography Officer, Facilities Security Manager, HR Security Manager.
- Reporting and review processes (quarterly to Audit & Risk Committee).
- Supplier collaboration under ISO 44001 and SIAM v4.
- Governance alignment with COSO ERM and OECD Principles.
3. Risk Management
- Risk assessment and treatment aligned with ISO/IEC 27001 Clauses 6.1.2–6.1.3, ISO 22301 Clause 8.2, COSO ERM Principle 6.
- Integration into enterprise risk registers.
- Cybercrime considerations under South Africa Cybercrimes Act and Mauritius Cybercrime Act.
- Shared risk registers with partners under ISO 44001.
- Domain‑specific risk practices across IS, privacy, awareness, incident response, continuity, vendor, acceptable use, cryptography, physical, and HR.
4. Standards and Controls
🟡 Essential — Essential membership and above
🔒 Essential membership required — Essential membership required for full IMS Lite Manual.
Login
or become a member →
- Access control & acceptable use aligned with ISO/IEC 27001 Annex A.9, PCI DSS Req. 12.3, HIPAA, GDPR, POPIA, SIAM v4, King IV/V.
- Cryptography aligned with ISO/IEC 27001 Annex A.10, NIST CSF PR.DS, PCI DSS Req. 3–4, HIPAA, GDPR, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 42001.
- Physical security aligned with ISO/IEC 27001 Annex A.11, PCI DSS Req. 9, HIPAA, SOC 2 CC6, ISO 44001.
- HR security aligned with ISO/IEC 27001 Annex A.7, SOC 2 CC2, GDPR, King IV/V.
- Vendor controls aligned with ISO/IEC 27001 Annex A.15, NIST CSF ID.SC, SOC 2 CC9, PCI DSS Req. 12.8, GDPR, ISO 44001, SIAM v4.
- Continuity & incident controls aligned with ISO 22301, ISO/IEC 27001 Annex A.17, PCI DSS Req. 12.11, HIPAA, NIST CSF RS/RC, ISO 44001.
- Privacy controls aligned with ISO/IEC 27701, GDPR, POPIA, Mauritius DPA, AU Convention 108+, ISO/IEC 27018, OECD, SEBI LODR.
5. Monitoring and Oversight
- Logging and monitoring aligned with ISO/IEC 27001 Annex A.12.4, SOC 2 CC6, NIST CSF DE.CM.
- Privacy monitoring aligned with ISO/IEC 27701, GDPR, POPIA, ISO/IEC 27017, ISO/IEC 27018.
- Training oversight aligned with ISO/IEC 27001 Annex A.7.2.2, PCI DSS Req. 12.6, SOC 2 CC6.3.
- Incident monitoring aligned with ISO/IEC 27001 Annex A.16, NIST CSF RS.CO, HIPAA.
- Continuity monitoring aligned with ISO 22301 Clause 9, COSO ERM Principle 17.
- Vendor oversight aligned with ISO/IEC 27001 Annex A.15, SOC 2 CC9, PCI DSS Req. 12.8, ISO 44001, SIAM v4.
- Governance oversight aligned with King IV/V, OECD, SEBI LODR.
6. Incident Response and Continuity
- Incident response aligned with ISO/IEC 27001 Annex A.16, NIST CSF RS, HIPAA, GDPR, POPIA.
- Continuity aligned with ISO 22301, ISO/IEC 27001 Annex A.17, PCI DSS Req. 12.11, COSO ERM.
- Vendor participation under ISO/IEC 27001 Annex A.15, PCI DSS Req. 12.8, ISO 44001, SIAM v4.
- Cryptography incidents under ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 42001.
- Physical incidents under ISO/IEC 27001 Annex A.11, PCI DSS Req. 9, HIPAA.
- HR incidents under ISO/IEC 27001 Annex A.7, SOC 2 CC2, GDPR.
- Governance oversight under King IV/V, OECD, SEBI LODR.
🟠 Professional — Professional membership and above
🔒 Professional membership required — Professional membership required for advanced IMS detail.
Login
or become a member →
7. Training and Awareness
- Awareness aligned with ISO/IEC 27001 Annex A.7.2.2, PCI DSS Req. 12.6, SOC 2 CC6.3.
- Privacy training aligned with ISO/IEC 27701, GDPR, POPIA, ISO/IEC 27018.
- Cybersecurity simulations aligned with NIST CSF PR.AT.
- Incident response training aligned with ISO/IEC 27001 Annex A.16, GDPR, POPIA.
- Continuity training aligned with ISO 22301 Clause 7.3, COSO ERM.
- Vendor training under ISO/IEC 27001 Annex A.15, ISO 44001, SIAM v4.
- Acceptable use training aligned with ISO/IEC 27001 Annex A.8, King V.
- Cryptography training aligned with ISO/IEC 27001 Annex A.10, PCI DSS Req. 3.6, GDPR, ISO/IEC 42001.
- Physical security training aligned with ISO/IEC 27001 Annex A.11, PCI DSS Req. 9, HIPAA.
- HR training aligned with ISO/IEC 27001 Annex A.7, SOC 2 CC2, GDPR, King IV.
8. Compliance Obligations
- Compliance registers aligned with ISO/IEC 27001 Clause 4.2, Clause 9.1, NIST CSF ID.GV, SOC 2 CC1.1.
- Privacy compliance aligned with ISO/IEC 27701, GDPR, POPIA, Mauritius DPA, AU Convention 108+, ISO/IEC 27018.
- Sector‑specific compliance: HIPAA, PCI DSS, SOC 2.
- Cybercrime compliance: South Africa Cybercrimes Act, Mauritius Cybercrime Act.
- Continuity compliance aligned with ISO 22301.
- Vendor compliance aligned with ISO/IEC 27001 Annex A.15, NIST CSF ID.SC, PCI DSS Req. 12.8, GDPR, ISO 44001, SIAM v4.
- Acceptable use compliance aligned with ISO/IEC 27001 Annex A.8, King V.
- Cryptography compliance aligned with ISO/IEC 27001 Annex A.10, PCI DSS Req. 3.6, GDPR, ISO/IEC 27017, ISO/IEC 42001.
- Physical security compliance aligned with ISO/IEC 27001 Annex A.11, PCI DSS Req. 9, HIPAA.
- HR compliance aligned with ISO/IEC 27001 Annex A.7, SOC 2 CC2, GDPR, King IV.
- Governance oversight aligned with COSO ERM, OECD, SEBI LODR.
9. Audit and Assurance
- Internal audits aligned with ISO/IEC 27001 Clause 9.2, SOC 2 CC1.1, NIST CSF ID.GV.
- Privacy audits aligned with ISO/IEC 27701, GDPR, POPIA, ISO/IEC 27018.
- Sector‑specific audits: HIPAA, PCI DSS, SOC 2 Type II.
- Cybercrime audits aligned with South Africa Cybercrimes Act, Mauritius Cybercrime Act.
- Continuity audits aligned with ISO 22301, COSO ERM.
- Vendor audits aligned with ISO/IEC 27001 Annex A.15, NIST CSF ID.SC, PCI DSS Req. 12.8, GDPR, ISO 44001, SIAM v4.
- Acceptable use audits aligned with ISO/IEC 27001 Annex A.8, King V.
- Cryptography audits aligned with ISO/IEC 27001 Annex A.10, PCI DSS Req. 3.6, GDPR, ISO/IEC 27017, ISO/IEC 42001.
- Physical security audits aligned with ISO/IEC 27001 Annex A.11, PCI DSS Req. 9, HIPAA.
- 9. Audit and Assurance (continued)
- HR audits aligned with ISO/IEC 27001 Annex A.7.2.2, SOC 2 CC2.2, and GDPR Article 29.
- Governance oversight aligned with King IV Principle 14, embedding ethical treatment of employees into assurance frameworks.
- Governance integration under OECD Principles of Corporate Governance (2015), SEBI LODR Regulations (2015), and UK Corporate Governance Code (2018), ensuring transparency and accountability in audit reporting.
- Assurance outcomes reported annually to the Audit & Risk Committee and board, embedding continuous improvement into organisational culture.
10. Governance Alignment Statement
- Appendices should provide supporting detail, references, and governance alignment statements.
- Information security mappings to ISO/IEC 27001 Annex A, NIST CSF v2.0, and SOC 2 Trust Services Criteria.
- Data protection appendices referencing ISO/IEC 27701, GDPR, POPIA, Mauritius DPA, AU Convention 108+, and ISO/IEC 27018.
- Sector‑specific appendices for HIPAA, PCI DSS v4.0, and SOC 2 Type II.
- Cybercrime appendices referencing South Africa Cybercrimes Act (2020) and Mauritius Cybercrime Act (2003/2018).
- Business continuity appendices aligned with ISO 22301, including continuity plan templates and supplier participation checklists.
- Vendor appendices referencing ISO/IEC 27001 Annex A.15, NIST CSF ID.SC, PCI DSS Req. 12.8, GDPR Article 28, ISO 44001, and SIAM v4.
- Acceptable use appendices including policy documents, disciplinary procedures, and monitoring templates, aligned with King V draft principles.
- Cryptography appendices referencing ISO/IEC 27001 Annex A.10, PCI DSS Req. 3.6, GDPR Article 32, ISO/IEC 27017, and ISO/IEC 42001.
- Physical security appendices referencing ISO/IEC 27001 Annex A.11, PCI DSS Req. 9, and HIPAA §164.310.
- HR security appendices referencing ISO/IEC 27001 Annex A.7, SOC 2 CC2, and GDPR Article 29, aligned with King IV Principle 14.
- Governance alignment statement integrating OECD Principles, SEBI LODR Regulations, UK Corporate Governance Code, King IV, and King V draft principles, demonstrating transparency, accountability, and alignment with international best practices.
⚫ Enterprise & Conglomerate — Implementation artifacts
🔒 Enterprise membership required — Enterprise membership required for implementation artifacts.
Login
or become a member →
Enterprise and Conglomerate implementation content will be added here.
● LIVE CONTENT
· Verified 9 June 2026 at 20:58 UTC · Version 1.0
· Always current at
c-ao.com
· © CIAO Standard Secretariat 2026