Assessment & Assurance Engine
Structured, evidence-based assessment across the full CCM — from initial gap analysis through to continuous assurance.
Five-Stage Assurance Lifecycle
C-PAP's assessment engine follows a structured lifecycle that moves organisations from initial identification through to sustained assurance confidence. Each stage produces defined outputs and feeds into the next.
Identify
Scope definition, asset inventory, framework selection, and operating context configuration.
Assess
Control-by-control maturity assessment with evidence collection and gap identification.
Plan
Treatment planning, remediation prioritisation, and resource allocation for identified gaps.
Treat
Risk treatment execution — Accept, Avoid, Modify, or Transfer — with tracked outcomes.
Assure
Continuous monitoring, evidence currency tracking, and assurance posture reporting.
Multi-Framework Assessment
Because every assessment is conducted against the CCM, the results are automatically reflected across all mapped frameworks. An organisation does not need to conduct separate assessments for ISO 27001, NCSC CAF, and NIST CSF — a single CCM assessment produces compliance views for all three.
The assessment engine supports simultaneous multi-framework evaluation, enabling assessors to see how a control's maturity rating translates across different framework requirements in real time. This eliminates the duplication inherent in framework-by-framework audit programmes.
Maturity Scoring
Each CCM control is assessed on a five-level maturity scale:
- Level 1 — Initial: Ad hoc, reactive, undocumented
- Level 2 — Developing: Partially documented, inconsistently applied
- Level 3 — Defined: Documented, consistently applied, evidence available
- Level 4 — Managed: Measured, monitored, regularly reviewed
- Level 5 — Optimised: Continuously improved, integrated, predictive
Maturity scores are complemented by a confidence rating that reflects the quality, currency, and completeness of supporting evidence.
Evidence Management
Evidence in C-PAP is a first-class object with its own independent lifecycle — not a secondary attachment to a control or audit. Each evidence item is collected once, linked to the controls it supports, and managed through a defined lifecycle of collection, validation, review, and expiry.
Evidence Lifecycle
Every evidence item has defined metadata: type, source, collection date, expiry date, owner, and linked controls. Expiring evidence triggers review workflows, ensuring that assurance confidence reflects current rather than historical reality.
Cross-Control Linking
A single evidence item can support multiple CCM controls across multiple domains. A network architecture diagram, for example, may simultaneously satisfy requirements in D06 (Network Security), D14 (OT/ICS Security), and D04 (Identity & Access).
Gap-to-Action Workflow
When an assessment identifies a gap — a control not meeting its target maturity or a missing evidence item — C-PAP converts that finding into a trackable action with defined ownership, priority, and target date.
Actions are linked back to the originating control and framework requirements, ensuring that remediation effort is always traceable to a specific compliance obligation. Progress is tracked through to closure and reflected in the organisation's assurance posture in real time.
Non-Conformance Tracking
Formal non-conformances — whether identified through internal assessment, external audit, or incident analysis — are recorded, classified, and tracked through a structured resolution workflow.
Each non-conformance links to the affected CCM controls, enabling the organisation to understand the compliance impact across all mapped frameworks and prioritise remediation accordingly.
See the Assessment Engine in Action
Request a demonstration to see how C-PAP's structured assessment approach works in practice.