Protected Framework
This framework is protected under CC BY-NC-ND 4.0 — patent pending. See Multitier Licensing.
🟢 Commons — Visible to all members
1. Organisational Controls
These establish governance, accountability, and cultural alignment.
- Governance & Accountability
- Board oversight committees for information security and risk.
- Defined roles (CISO, Incident Response Manager, Vendor Risk Manager, etc.).
- Quarterly reporting to Audit & Risk Committees.
- Supplier collaboration clauses in contracts.
- Risk Management
- Regular risk assessments (ISO 27001 Clause 6.1.2).
- Documented risk treatment plans (avoid, mitigate, transfer, accept).
- Integration into enterprise risk registers.
- Shared risk registers with strategic partners.
- Policies & Standards
- Acceptable Use Policy (aligned with ISO 27001 Annex A.8.1).
- Vendor risk management policies (ISO 27001 Annex A.15.1).
- HR security policies (screening, confidentiality, termination procedures).
- Cryptography standards (AES‑256, RSA‑2048, SHA‑256).
- Training & Awareness
- Mandatory annual training for all employees.
- Role‑specific training (IT admins, HR managers, incident responders).
- Phishing and social engineering simulations.
- Vendor training attestations included in contracts.
🟠 Professional — Professional membership and above
🔒 Professional membership required — Professional membership required for full ECF Lite Framework.
Login
or become a member →
2. Technical Controls
These enforce security through systems, monitoring, and automation.
- Access Control
- Role‑based access control (RBAC).
- Multi‑factor authentication (MFA).
- Privileged access monitoring.
- SIAM v4 guidance for multi‑vendor environments.
- Cryptography
- Encryption of data at rest and in transit (AES‑256).
- Secure key management lifecycle (ISO/IEC 27017 & 27018).
- Cryptographic monitoring for failures and anomalies.
- AI system encryption safeguards (ISO/IEC 42001:2023).
- Monitoring & Oversight
- SIEM integration for event logging and anomaly detection.
- Quarterly vendor audits and compliance dashboards.
- Incident detection metrics (time to detect, escalate, resolve).
- Cryptographic key lifecycle monitoring.
- Incident Response & Continuity
- Documented escalation flowcharts.
- Breach notification templates (GDPR, HIPAA, POPIA).
- Business impact analysis and continuity exercises.
- Vendor participation in incident response drills.
- Physical Security
- Badge and biometric access systems.
- CCTV and visitor log monitoring.
- Environmental safeguards (fire suppression, flood detection).
- Quarterly facility inspections.
- HR Security
- Automated access revocation upon termination.
- Insider threat monitoring systems.
- Confidentiality agreement tracking.
- Workforce compliance dashboards.
3. Compliance & Oversight
Ensures adherence to laws, regulations, and standards.
- Compliance Framework
- GDPR, POPIA, HIPAA, PCI DSS, SOC 2, ISO 27001/27701/22301.
- Cloud privacy compliance (ISO/IEC 27018).
- Cybercrime compliance (South Africa Cybercrimes Act, Mauritius Cybercrime Act).
- Sector‑specific compliance (healthcare, finance).
- Audit & Reporting
- Quarterly compliance reports to governance committees.
- Annual external audits (ISO, SOC 2, PCI DSS).
- Continuous monitoring dashboards for regulators and stakeholders.
⚫ Enterprise & Conglomerate — Implementation artifacts
🔒 Enterprise membership required — Enterprise membership required for implementation artifacts.
Login
or become a member →
Enterprise and Conglomerate implementation content will be added here.
● LIVE CONTENT
· Verified 29 May 2026 at 15:51 UTC · Version 1.0
· Always current at
c-ao.com
· © CIAO Standard Secretariat 2026