A vectorised comparison of 58 frameworks found that nearly two-thirds of all security controls have a semantic twin in a different framework. That reframes the whole “which framework?” debate: the underlying work is largely the same everywhere. What differs is the output — a certificate, an auditor’s report, a self-attestation, or nothing but legal exposure. Choose the framework whose proof your buyers, auditors and regulators actually ask for, then let the shared controls satisfy the rest.
1 · Pick by What’s Forcing the Decision
Nobody adopts a framework in a vacuum — something is pushing: a lost deal, a payment processor, a law, a federal RFP. Name the driver and the framework usually names itself.
| What’s forcing it | Adopt | Because |
|---|---|---|
| Customers/investors want proof you’re secure | SOC 2 (US) or ISO 27001 (global) | The two credentials buyers recognise on sight |
| You store or process card payments | PCI DSS 4.0 | Mandated by the card brands — non-negotiable |
| You handle US health data (PHI) | HIPAA + HITRUST | HIPAA is the law; HITRUST is how you prove it to partners |
| You sell to the US federal government | NIST 800-53 / FedRAMP | The control baseline behind an ATO |
| You’re cloud-native or sell cloud services | CSA CCM (+ ISO 27001 / SOC 2) | Cloud-specific control expectations & the STAR registry |
| You need a privacy programme (GDPR-style) | ISO 27701 | Bolts a privacy management system onto ISO 27001 |
| You just want to get measurably more secure | CIS Controls, then NIST CSF | A do-this-first list, then a governance structure |
▸ Most organisations end up carrying two or three at once — one credential customers want (ISO 27001 / SOC 2) plus whatever mandates their industry imposes (PCI, HIPAA, FedRAMP).
2 · The Ten, Compared
The same ten frameworks, side by side — what kind of instrument each one is, who it fits, and the artefact it leaves you holding.
| Framework | Type | Best for | Proof it produces |
|---|---|---|---|
| NIST CSF 2.0 | Self-assessed | A strategic, risk-based blueprint without certification | Maturity/tier self-assessment |
| CIS Critical Security Controls | Self-assessed | Teams wanting a prioritised, technical “do this first” list | IG1/IG2/IG3 self-assessment |
| CSA CCM | Self / STAR | Cloud providers & consumers setting cloud expectations | CAIQ & STAR registry listing |
| NIST 800-53 | Control catalogue | US federal systems & FedRAMP supply chains | Control baseline for an ATO |
| SOC 2 | Attestation | SaaS & service providers proving controls to customers | Independent auditor’s report (Type I/II) |
| PCI DSS 4.0 | Mandate | Anyone touching cardholder data | AOC / ROC / SAQ |
| ISO/IEC 27001 | Certifiable | Global orgs needing a recognised ISMS certificate | Accredited certificate |
| ISO/IEC 27701 | Certifiable ext. | Orgs adding a privacy (PIMS) layer to ISO 27001 | Certificate (as a 27001 extension) |
| HITRUST CSF | Certifiable | Healthcare vendors wanting one cert mapping many standards | HITRUST certification (e1/i1/r2) |
| HIPAA Security Rule | US law | Covered entities & business associates handling PHI | Legal compliance (no certificate) |
Types are grouped by the kind of assurance each yields — the axis that actually differentiates them, since the controls largely coincide.
3 · The Assurance Ladder
Frameworks differ most in how strong a promise they let you make to an outsider. That “strength of proof” is the axis buyers price in — a self-attestation and an accredited certificate are worlds apart in a procurement review, even when the controls behind them are identical.
▸ Climb the ladder only as far as your buyers require. Paying for a certification when customers would accept a SOC 2 report — or a SOC 2 when they’d accept a questionnaire — is spend without a sale attached.
4 · A Sane Order to Adopt Them
Because the controls overlap so heavily, you don’t choose one framework and abandon the rest — you build the shared control core once, then attach whichever proofs the market demands. A defensible sequence:
- CIS Controls (IG1) — stop the bleeding with concrete technical hygiene; no auditor required.
- NIST CSF 2.0 — wrap the controls in a governance structure (Govern, Identify, Protect, Detect, Respond, Recover).
- ISO 27001 or SOC 2 — earn the one credential your customers keep asking for (global → ISO; US SaaS → SOC 2).
- Layer the mandates — add PCI (cards), HIPAA/HITRUST (health), 800-53/FedRAMP (federal) or ISO 27701 (privacy) only as they apply.
Bottom line
- The controls are shared; the proof is not — choose for the artefact your market accepts, not the control list.
- Name the driver first — a lost deal points to SOC 2/ISO; cards point to PCI; PHI points to HIPAA/HITRUST.
- Assurance has a ladder — self-assessed, attested, certified — and buyers pay for the rung, so climb only as high as they ask.
- Build once, certify many — ~64% control overlap means a single control programme feeds most frameworks.
- Start with CIS, structure with CSF — then attach the credential; don’t begin with the certificate.
Sources & method. Framework characteristics are drawn from each body’s published materials (NIST CSF 2.0, ISO/IEC 27001 & 27701, AICPA SOC 2 Trust Services Criteria, PCI DSS 4.0, the HIPAA Security Rule, HITRUST CSF, CIS Controls v8, CSA Cloud Controls Matrix, NIST SP 800-53). The overlap figure comes from the companion analysis, Regulatory Controls, Decoded. Guidance here is general and not a substitute for legal or audit advice. Original analysis; no third-party material reproduced.