Manzill Surolia

Analysis · 7 Jul 2026

Regulatory Controls, Decoded

A vectorised, facts-first analysis of 58 security & privacy frameworks.

58frameworks compared
64%controls have a twin in another framework
37%near-identical cross-framework
97%frameworks require logging & monitoring
~10capabilities cover the whole field

The headline finding, measured — not asserted. Every control was turned into a numerical vector (TF-IDF over its title and requirement text) and compared to every other by cosine similarity. Nearly two-thirds of all controls have a semantic twin in a different framework; one in three is near-identical. Regulations do not invent new requirements — they re-word shared ones.

Share of controls with a semantic twin in a different framework
≥ 0.5 related64%
≥ 0.6 strong56%
≥ 0.7 very close46%
≥ 0.8 near-identical36%

1 · The Commonality: Frameworks Ask for the Same Things

Searching every control for core capabilities shows how few ideas the field actually turns on. Ten capabilities recur across most of the 58 frameworks.

Universal capabilityIn % of frameworksReading
Logging & monitoring97%The one near-universal control
Access control / least privilege79%Identity is the perimeter
Vulnerability & patch management67%Hygiene, everywhere
Incident response66%Assume breach; prove readiness
Third-party / supply-chain assurance66%Risk crosses org boundaries
Encryption (transit & rest)60%Data protection by default
Awareness & training53%The human control
Backup & recovery50%Resilience is compliance

Risk assessment and multi-factor authentication follow at 43% each, completing the ten.

▸ Master ~10 capabilities and you answer the substance of most of 58 frameworks. The work is finite; only the paperwork multiplies.

2 · The Similarity: Which Regulations Are Really the Same

Comparing frameworks vector-to-vector (average of their control vectors) surfaces near-duplicate standards. Some pairs are versions of one document; others are genuinely different standards that have quietly converged — the ones worth a single crosswalk.

Framework pairSimilarityType
CMMC v2.0 Level 2  ≈  NIST 800-1710.94Cross-standard — map once, claim both
ISO 27799 (health)  ≈  ISO/IEC 27033-1 (network)0.94Cross-standard convergence
ISO 19791  ≈  ISO 277990.93Cross-standard convergence
EU GDPR  ≈  UK GDPR0.98Same law, two jurisdictions
CIS Implementation Group 2  ≈  Group 30.98Tiers of one framework
ASD Essential 8 ML2  ≈  ML30.96Maturity tiers of one framework

▸ Frameworks are distinct as documents (average pairwise similarity just 0.12) yet overlap heavily control-by-control. The redundancy lives in the controls, not the framing — which is exactly why ‘comply once, report many’ works.

Framework-to-framework similarity (control-text overlap)
800-53800-171CMMCCSF27001PCI 4.0AzureFSBPGDPRHIPAAEss 8SOC 2
NIST 800-531.000.530.500.290.370.320.150.130.120.150.140.22
NIST 800-1710.531.000.940.220.280.250.150.110.050.120.150.13
CMMC L20.500.941.000.210.270.250.160.120.050.130.140.13
NIST CSF0.290.220.211.000.350.250.070.050.090.130.080.21
ISO 270010.370.280.270.351.000.300.090.090.120.170.120.25
PCI DSS 4.00.320.250.250.250.301.000.140.100.090.180.110.15
CIS Azure0.150.150.160.070.090.141.000.200.060.050.130.05
AWS FSBP0.130.110.120.050.090.100.201.000.050.050.080.05
EU GDPR0.120.050.050.090.120.090.060.051.000.060.040.21
HIPAA0.150.120.130.130.170.180.050.050.061.000.040.12
Essential 80.140.150.140.080.120.110.130.080.040.041.000.07
SOC 20.220.130.130.210.250.150.050.050.210.120.071.00
Less overlapMore overlap

3 · The Structure: Machine-Discovered Themes

Clustering the control vectors (no labels supplied) reproduces the security syllabus on its own — identity, access, incident/risk and privacy emerge as the load-bearing themes.

Machine-discovered theme (top terms)% of controls% of frameworks
Technical safeguards, audit & records47%88%
Incident, risk & testing13%53%
Identity & authentication10%67%
Access control (incl. physical & privileged)7%72%
Privacy & personal-data processing4%55%

4 · One Capability, Five Frameworks (worked crosswalk)

One idea — least privilege — written five different ways across five frameworks.

FrameworkControl ref.Same idea, different words
NIST 800-53 rev.5AC-6Least Privilege
NIST 800-1713.1.5Least Privilege
PCI DSS v4.07.2.1Access by role & least privilege
CIS AWS Foundations1.22No IAM policy with full '*:*' admin
AWS Foundational Sec. BPEC2.18Security groups block unrestricted access

Bottom line

  • ~2 in 3 controls are restatements — of a control already written in another regulation.
  • Logging first — present in 97% of frameworks — the highest-leverage first investment.
  • Collapse the duplicates — CMMC L2 and NIST 800-171 are 94% the same; map one to the other, don’t run two programmes.
  • Weight by impact — GDPR is small by control-count but carries the largest penalties — count is not consequence.
  • Build once, report many — the redundancy is at the control level, so a single capability answers dozens of identifiers.

Method. Each control’s title + requirement text was vectorised with TF-IDF (1–2-word terms); twins, framework similarity and themes are derived from cosine similarity, nearest-neighbour search and k-means clustering over those vectors.