At the 2024 RSA Security Conference there was a session discussing the relative strengths of comprehensive security standards. Following is a summary of the independent assessments of standards:
They didn’t include NIST (CSF v2.0) or Cybersecurity Maturity Model (v2.0). And the presentation was given by someone involved in CRF (v2024) – which, of course, was self-rated as excellent!
But it shows my reasoning for creating my own audit blank based on the best parts of various standards, as well as the need to include real estate domain-specific evaluations. Though I often run through the CIS standard with clients who want to know how they measure up to one standard in particular.