Your organisation needs to satisfy ISO 27001. And GDPR. And POPIA — or HIPAA, or PCI-DSS, or SOC 2. Each framework arrives with its own control catalogue, its own documentation requirements, its own audit process, and its own terminology. None of them talk to each other. None of them acknowledge the others exist.
So your governance team builds the same policies three times. Collects the same evidence four times. Prepares for the same audit five times. With slightly different labels on everything.
This is not a governance failure. It is an architectural gap.
The Missing Layer
The compliance ecosystem has a structural problem that no existing framework has formally addressed.
ISO 27001 defines information security controls — excellently. NIST CSF defines cybersecurity risk governance functions — rigorously. COBIT defines enterprise governance principles — comprehensively. GDPR defines data protection obligations — definitively.
But none of them define how to govern all of them simultaneously.
Even the NIST crosswalks — the best attempt at framework reconciliation to date — are only mappings. They show you where ISO 27001 A.5.1 and NIST CSF GV.PO-01 point at the same thing. They do not give you a governance model to operate across both at once.
The result is what we call compliance fragmentation: parallel systems, duplicated effort, and governance capacity consumed by administrative reconciliation rather than actual risk reduction.
What CIAO Is
CIAO — Common Information Assurance Oversight — is a governance meta-standard designed to occupy the layer above existing frameworks.
It does not replace ISO 27001, NIST CSF, SOC 2, GDPR, or POPIA. It governs them collectively.
CIAO operates at the apex of a five-layer governance architecture:
Layer 5 — Assurance Oversight — CIAO Layer 4 — Framework Coordination — CIAO Layer 3 — Unified Control Library — CIAO + Frameworks Layer 2 — Policy & Evidence System — Organisation Layer 1 — Operational Controls — Organisation
Layers 1 through 3 have been well-served by existing frameworks for decades. Layers 4 and 5 — the coordination and oversight layers — have been left unoccupied. CIAO occupies them.
The "O" in CIAO
The name is deliberate.
The classical CIA triad — Confidentiality, Integrity, Availability — defines the three core properties of information security at the system level. It is the foundation of every major framework in the field.
CIAO extends this model to the governance level by adding a fourth dimension: Operations.
Confidentiality, Integrity, and Availability describe what must be protected. Operations describes how governance is executed, monitored, and demonstrated across frameworks.
CIAO is not merely a conceptual extension of the CIA triad. It is its governance architecture.
The Control Equivalence Taxonomy
The architectural heart of CIAO is its GOV control series — a unified taxonomy of governance obligations that spans multiple frameworks simultaneously.
Here is a small example:
Where ISO 27001 defines A.5.1, NIST defines GV.PO-01, and GDPR defines Article 24 — all pointing at the same underlying governance obligation — CIAO defines a single unified control: GOV-001 (Information Governance Policy).
One control. Five frameworks. One governance action.
The full public seed table — GOV-001 through GOV-015 — is available free at the CIAO Commons tier at c-ao.com
Why This Matters Now
Regulatory obligations are not consolidating. They are multiplying.
Organisations operating in multiple jurisdictions, or across multiple sectors, now routinely face four, five, or six simultaneous compliance regimes. The administrative burden of managing these in parallel is becoming structurally unsustainable for any organisation without a dedicated compliance department — which means it is already unsustainable for the vast majority of organisations that need it most.
A meta-framework that genuinely solved the coordination problem would not just reduce cost. It would democratise governance capability — giving smaller organisations the same audit-readiness that currently requires teams and consultants they cannot afford.
That is what CIAO is designed to do.
Where CIAO Sits Today
CIAO Standard v1.0 is published and publicly accessible.
The Commons tier is permanently free and includes:
- The full CIAO governance architecture and 5-layer model
- The Open Principles
- The GOV Seed Table (GOV-001 to GOV-015) with cross-framework mappings
- A framework comparison overview
Paid tiers provide the operational policy libraries, evidence mapping workbooks, and sector-specific overlays that operationalise the architecture within an organisation:
The Conglomerate tier is the foundation of the CIAO partner delivery model. Certified partners receive a fully branded compliance portal — their own logo, their own subdomain — powered invisibly by CIAO infrastructure. It is how a regional governance consultancy can offer enterprise-grade compliance services to its clients without building any infrastructure of its own.
The CIAO Standard is grounded in doctoral-level research in cybersecurity governance strategy, including the Cybersecurity Value Chain (CVC) framework, the CV² validation methodology, and the CV²-SmF Strategic meta-Framework — original research contributions that establish the theoretical underpinning for CIAO's multi-framework coordination model.
An Open Invitation
CIAO is not finished. No version 1.0 of anything important ever is.
The GOV taxonomy will grow. Sector-specific overlays will be added. The academic foundation will be published. The partner network will expand.
But the architectural gap is real. The need is real. And the work has started.
If you work in compliance, governance, or cybersecurity — at any scale, in any sector — the CIAO Standard is for you. Start with Commons. It costs nothing.
Explore the CIAO Standard → c-ao.com/ciao-standard-v1–0
CIAO — Common Information Assurance Oversight — is licensed under Creative Commons CC BY-SA 4.0. CIAO Standard v1.0 | March 2026 | www.c-ao.com
That is what CIAO is designed to do.