Cyber-Physical Assurance Platform
A structured, evidence-led assurance platform that unifies IT and OT compliance under a single canonical control model — built for practitioners, defensible for regulators.
What C-PAP Does
C-PAP (Cyber-Physical Assurance Platform) provides organisations with a single, canonical view of their security and compliance posture across IT, OT, and converged environments. It resolves the structural problem at the heart of modern compliance: different frameworks asking for the same thing in different ways, with no mechanism to consolidate assessment, evidence, and reporting.
The platform replaces fragmented, framework-by-framework compliance programmes with a unified model where each control is assessed once, evidence is managed once, and compliance is demonstrated across every applicable framework simultaneously — with full traceability.
Three Operating Contexts
C-PAP adapts to the organisation's operating environment through three defined contexts, each with its own anchor standard, domain configuration, and capability level.
IT Compliance
Anchored to ISO/IEC 27001:2022. Mandatory domains D01–D13. Structured IT compliance with cross-framework evidence reuse.
Level 2OT/ICS Security
Anchored to IEC 62443. Mandatory domains plus D14 OT/ICS overlay. Purpose-built governance for operational technology.
Level 3Converged Assurance
NIST CSF 2.0 convergence lens. Full CCM: 17 domains, 418 controls. Unified IT/OT assurance under one canonical model.
Platform Capabilities
Canonical Control Model
418 controls across 17 domains, cross-mapped to 85+ frameworks. The intellectual core of the platform — assess once, comply across all.
Framework Coverage
Cross-mapped to ISO 27001, IEC 62443, NCSC CAF, NIST CSF 2.0, NIS2, CIS Controls, and further sector-specific frameworks — with full control-level traceability.
Assessment Engine
Five-stage lifecycle: Identify, Assess, Plan, Treat, Assure. Structured maturity scoring, gap-to-action workflow, and evidence-based evaluation.
Reporting & Analytics
27 report templates across four groups — from board packs and regulatory submissions to operational dashboards and gap analysis.
AI Governance
Integrated AI risk and governance controls aligned to ISO/IEC 42001, NIST AI RMF, and EU AI Act requirements — managed alongside broader assurance obligations.
Technical Architecture
Five-module architecture. 100% open-source stack. Three deployment models: SaaS, private cloud, air-gapped on-premises. Zero vendor lock-in.
Five Modules
C-PAP is structured as five integrated modules, each addressing a distinct function within the assurance lifecycle.
Assessment & Evaluation
Structured maturity assessment, gap analysis, and evidence-based control evaluation.
Risk & Treatment
Risk quantification, treatment planning (Accept, Avoid, Modify, Transfer), and residual risk tracking.
Evidence & Artefacts
Evidence lifecycle management with cross-control linking and framework-specific presentation.
Reporting & Governance
Executive reporting, compliance dashboards, regulatory submissions, and trend analysis.
Integration & Automation
API-driven integration with SIEM, GRC, CMDB, ticketing, and evidence collection systems.
Deployment Models
C-PAP supports three deployment models, each designed for different operational and security requirements:
- SaaS: Cloud-hosted, managed service for organisations that prioritise speed of deployment and operational simplicity.
- Private Cloud: Dedicated instance within the organisation's cloud tenancy, providing full data sovereignty and custom integration.
- On-Premises / Air-Gapped: Self-hosted deployment for environments with strict data handling requirements, including air-gapped OT and classified networks.
Integration
C-PAP integrates with existing security and IT management infrastructure through a documented RESTful API (OpenAPI 3.0 specification).
- SIEM platforms (log and event correlation)
- GRC tools (control and risk data exchange)
- CMDB systems (asset inventory synchronisation)
- Ticketing and workflow (non-conformance tracking)
- Evidence collection (automated ingestion)
See C-PAP in Action
Request a demonstration to see how C-PAP can support your organisation's assurance and compliance objectives.