PASC · Governance standards initiative

Pan-African standards for healthy, measurable human governance.

The Pan-African Standards Council (PASC) develops open, vendor-neutral reference standards to support sound, evidence-based governance of security, risk and critical services. Our aim is to help institutions design safer, fairer and more resilient systems, with clear indicators that can be shared with leadership, regulators and citizens.
Agenda 2063 aligned council

Latest case studies
Umbrella · PASC standards Featured standard · OSPCRM v1.0 Scope · Cyber, institutional health, resilience
📚 Explore current standards 📊 Read yearly briefs

Open and extensible. PASC is designed to host multiple reference standards (PDFs and related tooling) across branches such as cyber risk, institutional health, public safety and governance quality, together with a small number of yearly briefs that summarise multi-year trends for boards and regulators.

Featured standard · OSPCRM v1.0
Open Sovereign Predictive Cyber Risk Management

Version: 1.0 · Publication date: November 2025 · Status: Published, open for regulator and practitioner feedback.

Cyber risk · P0–P4 · FNR
False Negative Rate
↓ 63%
Target after adoption
P0/P1 precision
+41%
Cleaner “critical” signal
Context signals
5–7
Impact, exposure, data…
Alignment
ISO · NIST
Mappable to 27001 / CSF
Incident-linked scoring Published under DOI 10.5281/zenodo.17642943
Mission

Why the Pan-African Standards Council exists

PASC was created to provide African institutions, practitioners and communities with clear, high-quality standards for the responsible governance of security and risk. Our mission is to define open frameworks that make systems more transparent, resilient and predictable, while remaining compatible with international norms and regional realities.

Each standard published under PASC is designed to be practical, testable and usable in day-to-day management, audits and policy discussions. We focus on measurable indicators of institutional health: quality of service, reduction of avoidable harm, protection of people and assets, and continuous improvement over time.

Human-centred governance Evidence & measurable indicators Open & vendor-neutral Regulatory alignment Pan-African collaboration
Evidence from industrial implementations

OSPCRM is not a theoretical proposal. Early implementations in large organisations (financial services, insurance, auto-finance and global technology providers) have reported:

  • Reduction from ~6,000 “critical” items to 0 open criticals in 12 months, with no increase in severe incidents.
  • 90% reduction in nominal “critical” vulnerabilities through proper contextualisation, validated by audit and regulators.
  • 99% reduction in noise and false “critical” signals, enabling ISO/IEC 27001 certification to focus on real risks.
  • Movement from repeated red audits to green within 4 months through impact- and identity-centric classification.
  • Resilience against major supply-chain compromises affecting peers on the same infrastructure, thanks to process- and identity-centric controls rather than intensified patching alone.

These results were obtained without weakening regulatory compliance. In several cases, internal and external auditors explicitly endorsed the move from raw CVSS counts to impact- and context-based models compatible with ISO/IEC 27001, ISO 31000, NIST CSF, NIS2 and DORA.

About & governance

Who maintains PASC standards

The Pan-African Standards Council (PASC) is an independent standards consortium focused on human-centred, measurable governance of security, risk and critical services. It brings together senior practitioners (CISOs, risk officers, SOC and incident-response leaders), researchers, auditors and policy advisers from Africa and the diaspora.

To protect the neutrality and independence of ongoing work, some members serve in a non-public capacity (for example current regulators, operators of critical infrastructure, or senior security leaders). Public materials therefore emphasise roles, skills and sectors rather than individual names. The PASC coordination team acts as a neutral entry point and can connect interested organisations with appropriate experts where needed.

As of the initial release of OSPCRM v1.0, the consortium’s composition by profile type is approximately:

  • 25–35% scholars and university-based researchers;
  • 25–35% industry leaders and operators (financial services, cloud, MSSPs, critical services);
  • 15–25% members of national specialised bodies and congregations (national CERTs, supervisory and professional bodies, high-ethics public service structures);
  • 15–25% independent senior experts and civil-society actors.

Standards such as OSPCRM v1.0 are overseen by a dedicated technical committee on cyber risk (PASC TC-CR). Governance is structured around:

  • PASC Council – overall strategic direction, approval of standards;
  • Technical Committees (e.g. TC-CR for cyber risk) – drafting, annexes, mappings, pilot feedback;
  • Advisory Pool – experienced practitioners and scholars consulted on specific topics;
  • Coordination Office – publication workflow, DOIs, website, registry and verification.

PASC operates as a distributed consortium, currently coordinated from [Senegal, Dakar], with members contributing remotely from multiple countries. All standards are published as open, citable documents with DOIs and a documented revision process (draft review, feedback from early adopters and transparent versioning).

Multi-stakeholder expert consortium Technical committees (e.g. PASC TC-CR) Versioned standards with DOIs Independent & vendor-neutral
Branches

Where PASC develops standards

Cybersecurity & digital risk

Standards in this branch address predictive cyber risk, contextual vulnerability scoring and responsible governance of digital infrastructures. OSPCRM v1.0 is the first published specification here, defining a P0–P4 impact model, contextual signals and incident-linked metrics such as False Negative Rate (FNR) and P0/P1 precision, with informative annexes on the limitations of CVSS, KEV and “patch-only” approaches.

Institutional health & governance quality

Building on the DSM-H analytical framework, this branch focuses on tools for assessing the overall health and quality of institutions and governance systems. The emphasis is on transparency, fairness, accountability and quality of service, with indicators that can be used constructively in reform programmes, policy evaluation and strategic planning.

Rather than targeting individuals, these standards look at structures and processes: how decisions are made, how people are treated, and how effectively institutions fulfil their mandates. The goal is to support healthier, more predictable and more trustworthy public and private organisations.

Health, public safety & resilience

Future PASC standards will also cover critical health and public safety topics: prioritisation in fragile health systems, risk communication, and resilience metrics for essential services such as water, energy and transport. All are approached with an emphasis on dignity, equity and measurable improvement in the quality of life.

Scientific Research & African Output Dissemination

All research outputs follow the ATSS 1.2 protocol for fairness and transparency. It also enforces strict segregation of duties (e.g. designer of study must be different from coder/tester and data curator/analyst wherever/whenever possible). Institutional supervision or continuous peer-review is also recommended wherever possible. Fraud, abuse, predatory and general unethical practices are penalized by a downgraded score to incentivise ethics over short-term gains.

For regulators & auditors

Using PASC standards in supervision & policy

PASC standards and Yearly Briefs are designed to support supervisors, central banks, data protection authorities, sector regulators and audit functions who need to assess risk management quality without prescribing a single vendor or tool. OSPCRM and related guidance can be mapped to existing obligations (ISO/IEC 27001, ISO 31000, NIST CSF, GDPR, NIS2, DORA and national cyber/data laws) and used as a reference spine for qualitative and quantitative supervisory expectations.

Regulators and auditors can use PASC material to:

  • Clarify expected treatment of impact, identity, context and workforce indicators in risk appetite and RAS documents;
  • Request evidence of incident-linked metrics such as FNR and P0/P1 precision, beyond purely tool or CVSS coverage;
  • Encourage convergence toward transparent, auditable scoring methods that remain compatible with existing frameworks;
  • Support thematic reviews, scenario exercises and policy updates focused on structural weaknesses (juniorisation, high turnover, excessive internalisation, governance gaps).

Supervisory authorities and public bodies interested in formal adoption, national profiles or co-branded annexes are invited to contact the coordination team for a dedicated discussion and access to extended archives of the observatory series.

Data & privacy

How we handle contact data

PASC only collects contact details submitted via the forms on this site in order to respond to specific requests (information, collaboration, verification). We do not sell or lease this information to third parties.

Basic traffic logs may be kept to protect the site from abuse. No tracking cookies or advertising pixels are used.

Stay informed

PASC standards & early adopter news

Subscribe to occasional updates about new PASC standards, profiles, tools, case studies and training opportunities (including OSPCRM and future branches).

Low-volume, standards-focused updates only. Managed by the PASC coordination team.

Standards

Current PASC standards

OSPCRM v1.0 — Open Sovereign Predictive Cyber Risk Management
Branch: Cybersecurity & digital risk · Status: Published · Language: EN/FR

OSPCRM v1.0 defines an open, royalty-free standard for contextual, predictive and sovereignty-aware cyber risk management. It specifies a P0–P4 business impact scale, mandatory context factors (asset criticality, data sensitivity, exposure, threat activity, resilience controls), and incident-linked metrics such as False Negative Rate (FNR) and P0/P1 precision.

The standard is designed to be mapped to ISO/IEC 27001 and 27005, ISO 31000, NIST CSF, and major regulatory regimes such as GDPR, NIS2, DORA and national cyber/data laws. It can be implemented by internal security teams, vendors, MSSPs and SOC platforms. Informative annexes discuss the limitations of CVSS, KEV and “patch-only” approaches, and provide guidance on governance pillars (senior expertise, authority and proactive design).

⬇️ Download · OSPCRMv1.pdf 📄 DOI · 10.5281/zenodo.17642943 🔗 Zenodo record · 17642944

Security note: only download from official sources.

PASC Certification & Accreditation – Core Principles and Requirements
Type: Governance & recognition · Status: Published · Language: EN

This document sets out the core principles for becoming PASC certified (solutions and services) or PASC accredited (training providers, certification bodies, assessment partners), as well as the expectations for PASC Certified Practitioners.

It clarifies the minimum baseline (real ability and practices compatible with ISO/IEC 27001, ISO 31000 and NIST CSF), five-year validity, evidence-based renewal, and the role of senior security expertise and independent governance in any OSPCRM-aligned posture.

⬇️ Download · Core Principles & Requirements
Briefs & reports

Yearly predictive briefs (last 3 years)

PASC publishes concise yearly briefs on predictive cyber risk and governance, designed for boards, regulators and senior practitioners. Each brief summarises global and regional trends over the previous five years, and provides forward-looking guidance for the year ahead.

  • YB-2025-01 – State of Predictive Cyber Risk & Governance
    Based on 2024 trends. Download PDF
  • YB-2024-01 – State of Predictive Cyber Risk & Governance
    Based on 2023 trends. Download PDF
  • YB-2023-01 – State of Predictive Cyber Risk & Governance
    Based on 2022 trends. Download PDF

For earlier briefs and archives, please contact the coordination team.

Observatory

Yearly briefs on predictive risk & governance

Alongside formal standards, PASC publishes a small number of Yearly Briefs aimed at boards, regulators and senior practitioners. Each brief synthesises global and African data into a five-year view of trends, risks and structural signals in areas such as cyber risk, institutional health and workforce structure.

To keep the series focused and comparable, PASC only displays the current brief and the previous two on the public site. Each of these already contains a five-year recap and forward view, so taken together they cover more than a decade of structural trends. Older briefs and observatory notes can be shared on request, in particular for supervisors, auditors and research partners.

Every brief clearly states its data cut-off date, scope and limitations, and can be cited formally in supervisory documentation, risk appetite statements, ORSA/ICAAP material or internal governance notes. View the latest briefs →

Adoption

Quick start for teams & providers

  • 1. Identify relevant branch & standard. Start with the PASC standard that best matches your current needs (for example OSPCRM v1.0 for cyber risk).
  • 2. Map your existing processes. Compare current scoring and assessment methods to the standard’s required scales, context factors and metrics.
  • 3. Implement the minimum model. Introduce the core scale (for example P0–P4) and context fields, and begin calculating the main performance metrics (such as FNR and P0/P1 precision).
  • 4. Align with regulators & partners. Use the mapping tables and guidance in each standard to connect PASC adoption with ISO, NIST and local regulatory requirements.
  • 5. Iterate & contribute feedback. Track your metrics over time, refine thresholds, and share implementation feedback with PASC so future revisions are grounded in real data.
Verification

Verify a certificate, solution or organisation

Any solution, organisation or individual claiming PASC recognition (for example: “PASC Certified Solution / Service – OSPCRM v1.0” or “PASC Accredited Training Provider – OSPCRM v1.0”) must be verifiable against the official PASC registry.

A quick verification of the status of your provider, vendor or solution can be performed using either the certificate ID or the name of the organisation, product or person as it appears on the certificate. E.g.: PASC-OSPCRM-2025-0001.

This form is intended for quick human verification. For automated checks, partners and regulators should use the private HTTP endpoint they were provided for /verify?cert_id=... or /verify?name=....

Recognition & registry

Certified solutions & accredited partners

PASC maintains a public registry of organisations and solutions that have been formally recognised under PASC standards (for example, “PASC Certified Solution / Service – OSPCRM v1.0” or “PASC Accredited Training Provider – OSPCRM v1.0”).

This registry is populated monthly as adopters and partners complete assessment. Any organisation or product claiming PASC certification or accreditation should appear in the official registry. Until entries are listed, no third party is authorised to present themselves as PASC-recognised.

Verification details (scope, validity dates, status) is published for each recognised organisation or solution and referenced from their digital badges, certificates and verification responses.

Contact

Contact the PASC coordination team

Use this form to reach the PASC team about standards, pilots, training, certification, product accreditation, or access to older yearly briefs and observatory materials.

Please include any relevant context (organisation, country/region, current tools or standards you use, and if you are a regulator, supervisor or auditor).

All requests currently route to the coordination inbox (inquiries@pasc.institute) and will be dispatched internally as needed. Contact details submitted via this site are used solely to respond to your request.

Feedback & extensions

Collaborations

PASC standards are intentionally open, with explicit DOIs and versioning, so that partners can build tools, national profiles or sector adaptations and still remain compliant. We encourage governments, regulators, universities, vendors and community organisations to contact us if they wish to adopt, extend or co-develop standards under the PASC umbrella.