Platform

Framework Coverage

The CCM is cross-mapped to 85+ internationally recognised frameworks — each mapping qualified at the individual control level with full traceability.

Mapping Methodology

C-PAP's framework mappings are not high-level thematic alignments. Each mapping is a qualified, control-to-requirement relationship established at the individual control level. When the CCM states that a control maps to a specific framework requirement, the relationship has been reviewed, verified, and documented.

Mapping depth is described using qualitative descriptors rather than percentages, reflecting the reality that different frameworks have different scopes, structures, and levels of prescriptiveness:

Comprehensive

Full or near-full coverage of the framework's control requirements.

Extensive

Broad coverage across the framework's major domains and objectives.

Strong

Significant coverage of core framework requirements with targeted alignment.

Mapped

Specific, targeted mapping to relevant framework requirements.

Primary Baseline & Governance Standards

Core information security, cybersecurity, and governance standards that anchor the CCM's control structure. These form the backbone of most compliance programmes and provide the primary mapping foundations.

ISO/IEC 27001:2022 ISO/IEC 27002:2022 ISO/IEC 27005 ISO/IEC 27701:2019 ISO 22301 ISO/IEC 27031 ISO 31000:2018 NIST CSF 2.0 NIST SP 800-53 Rev 5 NIST SP 800-37 Rev 2 NIST SP 800-207 Zero Trust NIST SP 800-61 Incident Handling NIST SP 800-161 Rev 1 NIST SSDF v1.1 NIST Privacy Framework 1.0 CIS Controls v8 Cyber Essentials Plus COBIT 2019 CISA Zero Trust Maturity Model PCI DSS v4.0.1 SOC 2 Trust Services Criteria ISO 28000 Supply Chain Security

OT/ICS Security Frameworks

Standards and guidance specific to operational technology, industrial control systems, and cyber-physical environments. These underpin the D14 OT/ICS Security overlay domain.

IEC 62443-2-1 IEC 62443-3-3 IEC 62443-4-1 IEC 62443-4-2 NIST SP 800-82 Rev 3

UK Regulatory & NIS Frameworks

UK legislation, regulatory instruments, and sector supervisory frameworks applicable to operators of essential services and regulated entities.

NCSC CAF v4.0 NIS 2018 eCAF UK Cyber Security and Resilience Bill UK GDPR UK Data Protection Act 2018 UK PSTI Act 2022 GovAssure UK Government Cyber Action Plan NCSC CAF Supplementary Guidance for Government NCSC CAF IGPs NCSC Cyber Resilience Assurance Scheme NCSC Severe Threat Guidance NCSC Cloud Security Principles

EU Regulatory Frameworks

EU directives and regulations imposing cybersecurity, resilience, and digital governance obligations across member states and affected entities.

NIS2 Directive EU DORA (Reg. 2022/2554) EU AI Act EU CRA 2024/2847 EU Network Code on Cybersecurity (2024/1366)

Financial Services

Regulatory and supervisory instruments for banking, financial services, and insurance organisations.

EU DORA (Reg. 2022/2554) EBA ICT Risk Management UK Operational Resilience (PS21/3) UK Critical Third Parties (PS16/24)

Cloud Security & Privacy

Standards and frameworks addressing cloud computing security, privacy management, and third-party assurance.

CSA Cloud Controls Matrix v4 ISO/IEC 27017:2015 ISO/IEC 27018:2019 ISO/IEC 27701:2019 NCSC Cloud Security Principles SOC 2 Trust Services Criteria

IoT & Telecommunications

Standards and legislation addressing connected devices, consumer IoT security, and telecommunications infrastructure.

UK PSTI Act 2022 ETSI EN 303 645 Telecommunications (Security) Act 2021 DDCMS Telecoms Security Code of Practice

AI Governance Frameworks

Standards and regulatory instruments governing the responsible development and deployment of artificial intelligence systems.

EU AI Act ISO/IEC 42001 ISO/IEC 23894:2023 NIST AI RMF DSIT AI Cyber Security Code of Practice

Energy & Utilities

Sector-specific regulatory and operational frameworks for energy generation, distribution, and water utilities.

Ofgem DGE SEMD 2022 DWI NIS DWI Enforcement EU Network Code on Cybersecurity (2024/1366)

Aviation

Airworthiness, aviation security, and air traffic management cybersecurity standards and regulations.

EASA Part-IS (2022/1645) DO-326A / ED-202A DO-356A / ED-203A EUROCAE ED-202A EUROCAE ED-202B EUROCAE ED-203A EUROCAE ED-204A ED-201A / DO-391 ED-206 / DO-392 UK CAA CAP1850

Maritime

International maritime cyber risk management regulations and classification society requirements.

IMO MSC.428(98) IMO Cyber Risk Guidelines IACS UR E26 IACS UR E27 DfT Cyber Security Code of Practice for Ships

Defence

Defence and national security cybersecurity standards for controlled information and defence supply chain assurance.

DEF STAN 05-138 NIST SP 800-171

Nuclear

Nuclear sector security assessment and guidance frameworks for civil nuclear facilities and operations.

ONR Security Assessment Principles (SyAPs) IAEA Nuclear Security Series (NSS-17-T / NSS-42-G)

Transport & Automotive

Cybersecurity standards for railway, automotive, and road vehicle systems.

CLC/TS 50701 Railway Cybersecurity ISO/SAE 21434 Road Vehicles UNECE R155 Cyber Security and CSMS UNECE R156 Software Updates and SUMS

Space

Space sector cybersecurity standards and regulatory frameworks for satellite systems and space operations.

ECSS-Q-ST-80C CCSDS 350.1-G-3 UK Space Industry Regulations 2021

Threat Knowledge Frameworks

Threat intelligence and defensive knowledge bases integrated for threat-informed prioritisation and control validation.

MITRE ATT&CK Enterprise MITRE ATT&CK for ICS MITRE D3FEND

Ongoing Framework Expansion

The CCM framework mapping programme is continuously expanding. Additional frameworks are in active development, with particular focus on sector-specific regulatory instruments and emerging international standards.

All new framework mappings follow the same rigorous control-to-requirement methodology, ensuring consistent quality and traceability across the entire mapping library.

See Your Framework Coverage

Request a demonstration to see how C-PAP maps to your specific framework obligations.

Request a Demonstration Explore the CCM