Canonical Control Model | C-PAP — Cyber-Physical Assurance Platform

What the CCM Is

The Canonical Control Model (CCM) is a comprehensive, framework-independent control taxonomy comprising 418 controls organised across 17 domains. It serves as the single source of truth for an organisation's security and compliance posture.

Unlike framework-specific control sets, the CCM is designed to be the canonical record — the definitive statement of what an organisation does, assessed once and then presented through whichever framework lens is required. Each CCM control maps to one or more requirements across 85+ internationally recognised frameworks.

This canonical approach eliminates the duplication, inconsistency, and evidence sprawl that characterise multi-framework compliance programmes. When a control is assessed in the CCM, its compliance status is automatically reflected across every mapped framework.

418

Controls

17

Domains

85+

Mapped Frameworks

Domain Architecture

The CCM organises controls into two tiers: thirteen mandatory domains that form the universal baseline, and four overlay domains that extend coverage for specific operating contexts and sectors.

Mandatory Domains (D01–D13)

Every organisation using C-PAP is assessed against the mandatory domain baseline. These domains cover the complete scope of enterprise information security governance.

D01 Governance & Leadership Strategic direction, accountability, policy

D02 Risk Management Risk identification, assessment, treatment

D03 Asset Management Inventory, classification, lifecycle

D04 Identity & Access Authentication, authorisation, privilege

D05 Data Protection Classification, encryption, privacy

D06 Network Security Segmentation, monitoring, perimeter

D07 Endpoint & Platform Security Hardening, patching, configuration

D08 Application Security SDLC, testing, secure design

D09 Security Operations Monitoring, detection, response

D10 Incident Management Response, escalation, lessons learned

D11 Business Continuity Recovery, resilience, exercising

D12 Supply Chain Security Third-party risk, procurement, assurance

D13 Compliance & Assurance Audit, certification, regulatory

Overlay Domains (D14–D17)

Overlay domains extend the mandatory baseline with controls specific to particular operating contexts or sectors. They are activated based on the organisation's environment and do not replace or duplicate mandatory domain controls.

D14 OT/ICS Security 24 controls — zones, conduits, SIS, safety-security

D15 Sector Regulatory Depth 22 controls — sector-specific regulatory and compliance depth

D16 Critical Infrastructure Resilience 13 controls — resilience for critical national infrastructure

D17 Safety-Critical Environments 13 controls — safety-security integration for safety-critical operations

Common and Complex Control Layers

Within each domain, controls are organised into two layers that reflect the reality of how organisations implement security:

Common Controls are the foundational requirements that every organisation should implement — the baseline that forms the floor of good practice. These tend to be well-understood, broadly applicable, and aligned to the most widely adopted frameworks.

Complex Controls address more sophisticated requirements that arise in specific contexts: converged environments, safety-critical systems, advanced threat scenarios, or heightened regulatory obligations. These controls build on the Common layer and are typically relevant for organisations operating at higher maturity levels.

Cross-Framework Mapping

Each CCM control is individually mapped to the specific clauses, requirements, or objectives of every applicable framework. This is not a high-level thematic alignment — it is a qualified, control-to-requirement mapping with explicit traceability.

When an organisation assesses a CCM control, the result is automatically reflected across all mapped frameworks. When evidence is linked to a control, it becomes available through every framework view. This is the mechanism by which C-PAP delivers genuine multi-framework compliance from a single assessment.

View the full framework coverage →

Explore the Control Model

Request access to the interactive CCM browser and see how the canonical model maps to your organisation's framework obligations.

Request Access View Framework Coverage