Declare data above — regimes activate from what's in play. (Nothing activates by guesswork.)

NCSC CAF control

The canonical outcome spine. All assessment outcomes are expressed against the CAF.

A1 GovernanceA2 RiskB2 Identity & accessC1 MonitoringD1 Response
NIST CSF 2.0 control

Crosswalks to the CAF outcomes via the six functions — no re-asking.

GV GovernID IdentifyPR ProtectDE DetectRS RespondRC Recover
ISO/IEC 27001 control

Annex A controls crosswalk to the same outcomes; certification view projects from them.

A.5 OrgA.8 AssetA.9 AccessA.12 Ops

However a customer names their teams, an activated concern routes to the right owner via the function spine. One assessment; many framework views.