Frequently Asked Questions

C-PAP (Cyber-Physical Assurance Platform) is a unified control platform integrating IT and OT compliance through a Canonical Control Model, eliminating audit duplication across multiple frameworks. It delivers defensible assurance to boards and regulators without requiring separate compliance systems for each framework.

Traditional GRC tools build separate control structures for each framework, causing duplication. C-PAP is canonical: a single 418-control model serves as the source of truth, with external frameworks mapping into it rather than vice versa. This enables genuine evidence reuse and defensible, audit-ready compliance across multiple frameworks from a single assessment.

C-PAP serves CISOs, compliance officers, OT security teams, and assurance managers in regulated and critical infrastructure sectors. It supports decision-makers justifying control investment to boards and auditors, technical teams implementing controls, and compliance professionals managing evidence across multiple frameworks.

C-PAP provides tailored assurance across 19 sectors, each with dedicated framework mapping, domain alignment, and operating context configuration. Sectors include Energy & Utilities, Government & CNI, Financial Services, Aerospace, Defence, Marine, Nuclear, Healthcare, and Telecommunications, among others. Each sector benefits from sector-specific overlay domains and regulatory mappings.

Level 1 (Core Compliance) provides IT compliance baselines anchored to ISO 27001 and NCSC CAF. Level 2 (Domain Compliance) adds OT/ICS capability with IEC 62443, NIS2, DORA, and sector overlays. Level 3 (Cyber-Physical Assurance) provides full IT/OT convergence with the complete CCM, NIST CSF 2.0 convergence lens, and AI governance. Each level builds on the previous, ensuring investment carries forward.

The CCM is a framework-agnostic model containing 418 controls across 17 domains (13 mandatory plus 4 overlay). External frameworks map into the CCM, enabling a "write once, comply many" approach — evidence collected for one canonical control automatically satisfies the requirements of every mapped framework.

C-PAP currently maps 85+ frameworks including ISO 27001:2022, IEC 62443, NCSC CAF v4.0, NIST CSF 2.0, NIST SP 800-53, NIS Regulations 2018, NIS2 Directive, DORA, PCI DSS v4.0.1, CIS Controls v8, Cyber Essentials Plus, ISO/IEC 42001, NIST AI RMF, and further sector-specific standards spanning energy, maritime, aerospace, defence, nuclear, telecoms, and financial services. Mappings are maintained and updated as regulations evolve.

C-PAP uses Retrieval Augmented Generation (RAG) over a curated standards knowledge base, with all AI models running locally via Ollama. Safeguards include confidence indicators and cited sources, prompt injection detection, audit-grade logging, and advisory-only recommendations subject to human verification. The RAG pipeline operates exclusively over standards knowledge, never over client assessment data.

C-PAP generates Software Bills of Materials in CycloneDX and SPDX formats, scanned to identify vulnerable dependencies. Critical or High findings trigger automatic deployment blocking. Full supply chain transparency satisfies NIS2 Article 21(2)(d) requirements and supports procurement security assessments.

C-PAP implements EU AI Act transparency and human oversight requirements with AI risk classification, ISO/IEC 42001 alignment, audit-grade interaction logging, confidence thresholds, and algorithmic impact assessments. AI governance is integrated directly into the CCM through dedicated AI governance controls, managed alongside broader cybersecurity assurance obligations.

C-PAP is built entirely on open-source components: Next.js 15 frontend, FastAPI backend, PostgreSQL 16 database, Keycloak 26 for identity, Ollama for local AI inference, MinIO for storage, K3s for orchestration, and OpenTofu for infrastructure-as-code. All source code is inspectable and auditable, ensuring zero vendor lock-in.

C-PAP is available in three deployment models delivering identical functionality: multi-tenant SaaS (hosted in UK data centres), private cloud (within the customer's cloud tenancy), and on-premises including air-gapped deployments. Selection depends on regulatory requirements, data governance policies, and operational constraints.

Strict tenant isolation is enforced at three layers: database row-level security prevents cross-tenant queries, storage assigns separate buckets per tenant, and the application validates every API call's tenant context with role-based access control. Each tenant has independent audit logs, evidence stores, and user directories.

C-PAP integrates with cloud security tools, vulnerability scanners, and configuration management systems to automate evidence collection and mapping to CCM controls with full provenance. This includes AWS Security Hub, Azure Defender, Trivy, OWASP ZAP, Terraform, and Ansible, among others.

C-PAP includes 27 production-ready templates across four groups: Assessment & Governance, Operational Tracking, Framework & Standards Reports, and Board & Regulator Outputs. All templates include worked examples with full evidence traceability and are generated from live assessment data.

C-PAP implements defence-in-depth: Keycloak 26 with MFA and role-based access control, AES-256 encryption at rest and TLS 1.3 in transit, prompt injection detection for AI features, and automated CI/CD security scanning. All security controls are transparent and auditable by clients.

Assessment data is strictly isolated per organisation with no cross-tenant visibility. Role-based access ensures compliance teams see only assigned controls, executives see summaries, and auditors have read-only access. The AI pipeline operates exclusively over standards knowledge, never over client assessment data.

Core includes the CCM engine, dashboards, and ISO 27001/NCSC CAF baseline. Domain adds OT overlays or sector-specific modules. Enterprise provides the full platform with all frameworks, sectors, and advanced AI-assisted analysis. All tiers are fully developed and available.

Implementation follows a four-phase consultancy-led engagement: Discovery (map regulatory landscape and frameworks), Configuration (customise platform and integrate evidence sources), Training (equip teams and validate mappings), and Go-live (deploy to production). Typical initial deployment takes 4–8 weeks depending on scope.

Yes. All tiers include onboarding training for compliance and executive users, platform training for configuration and reporting, and ongoing technical and compliance support. Enterprise tiers include dedicated account management and quarterly business reviews.

C-PAP generates audit-ready outputs including traceable evidence packs with full provenance, real-time compliance dashboards, framework-specific regulatory reports, and board assurance packs. Every compliance statement is traceable to source evidence, enabling auditors to audit the audit trail itself.