Converged IT/OT Assurance
Unified cyber-physical assurance across IT and OT — the platform's primary differentiator. One canonical model, one evidence base, one defensible assurance position.
The Assurance Deficit
Most organisations can demonstrate compliance. Fewer can demonstrate assurance. The gap between holding a certificate and having genuine confidence that controls are effective, evidence is current, and risk is understood — that gap is the assurance deficit.
In converged environments, this deficit is amplified. IT and OT operate under different frameworks, different risk models, different evidence cultures, and often different governance structures. Boards receive fragmented risk reporting. Regulators see inconsistent assurance artefacts. And the organisation itself has no single view of its true security posture.
C-PAP closes this gap by providing a single canonical model that spans both IT and OT, with unified assessment, evidence management, and reporting — delivering genuine assurance confidence, not just compliance documentation.
Why Convergence Matters
- IT and OT assessed under separate frameworks with no shared control baseline
- Board receives fragmented risk reporting from IT and OT teams independently
- Evidence collected and managed in silos with no cross-domain reuse
- Regulators expect unified assurance but organisations deliver patchwork artefacts
- No mechanism to demonstrate that a single control satisfies IT and OT requirements simultaneously
- Convergence treated as a network problem, not a governance problem
The Convergence Lens: NIST CSF 2.0
C-PAP uses NIST CSF 2.0 as the convergence lens — the framework that bridges IT-centric standards (ISO/IEC 27001) and OT-specific standards (IEC 62443) under a common risk-based structure. This is not a replacement for either framework; it is the organising principle that enables a unified view.
Through the CCM's canonical mapping, every control can be viewed through multiple framework lenses simultaneously. An assessor working to ISO 27001 sees the same underlying control that an OT engineer is assessing against IEC 62443 — with full traceability and shared evidence where applicable.
Full Canonical Control Model: 17 Domains, 418 Controls
The converged operating context activates the complete CCM — all thirteen mandatory domains plus all four overlay domains (D14–D17). This provides the most comprehensive assurance coverage available through the platform.
Mandatory Domains (D01–D13)
The universal baseline covering enterprise information security governance, applicable to all operating contexts. These domains address governance, risk, assets, identity, data, networks, endpoints, applications, operations, incidents, continuity, supply chain, and compliance.
Overlay Domains (D14–D17)
Overlay domains are activated based on the organisation's operating environment and sector. They integrate with the mandatory baseline within a single assessment and reporting structure.
Audit Harmonisation
The single control reality at the heart of C-PAP means that each CCM control is the definitive record of an organisation's security posture in that area — regardless of which framework lens is applied.
When multiple frameworks require the same capability (access control, logging, incident response), the CCM resolves this into a single control with explicit mappings to each framework's requirement. The result: one assessment, one evidence set, multiple framework views.
This is not abstract mapping. Each framework relationship is qualified at the individual control level, with full traceability from the CCM control to the specific clause, requirement, or objective in the target framework.
Cross-Domain Evidence Reuse
Evidence in C-PAP is a first-class object with its own lifecycle — collected once, linked to the controls it supports, and automatically presented through whichever framework view is required.
A network architecture diagram that demonstrates ISO 27001 A.8.20 compliance also demonstrates IEC 62443 zone/conduit alignment and NCSC CAF B4.a network segmentation. C-PAP makes this explicit, auditable, and maintainable over time.
For converged organisations, this eliminates the duplication, inconsistency, and evidence sprawl that characterise multi-framework compliance programmes.
Board-Level Assurance
The converged operating context provides the full reporting capability needed for board and regulatory submissions. The Composite Assurance Position (CAP) draws together IT and OT compliance status, maturity scores, risk treatment positions, and evidence currency into a single, defensible executive view.
This is not a dashboard in the conventional sense. It is a structured assurance artefact — designed for scrutiny by boards, regulators, and assessors — that provides genuine confidence in an organisation's cyber-physical security posture.
Capability Level 3 — Cyber-Physical Assurance
The converged operating context represents C-PAP Capability Level 3 — the platform's full differentiator. At this level, organisations gain unified IT/OT governance, cross-framework evidence reuse, converged risk reporting, and the complete canonical control model.
Level 3 is the destination for organisations that need to demonstrate genuine assurance — not just compliance — across their entire technology estate. It is built on the same foundation as Levels 1 and 2, ensuring that investment at any entry point carries forward into full convergence.
Relevant Sectors
Converged IT/OT assurance is applicable across all sectors, but is particularly critical for:
Unify Your IT and OT Assurance
See how C-PAP delivers genuine converged assurance — not just converged compliance.