Ask a supplier about multi-factor authentication for CAF, then ask again for ISO 27001, then again for Cyber Essentials, then once more for NIST. It is the same control four times, in four shapes. That is not assurance - it is busywork.
Most questionnaires are bespoke. Each framework gets its own form, its own evidence upload, its own review. Suppliers resent it, your team drowns in it, and the same fact gets re-collected endlessly. The cost is real and it compounds with every framework you add.
A well-designed control question is framework-agnostic. You ask about the underlying control once, capture the evidence once, and map that single answer to every framework that cares about it. One question about enforced MFA on administrative access becomes evidence for:
Answer once; satisfy four regimes.
Public-sector suppliers are asked for CAF, Cyber Essentials, ISO and increasingly Secure by Design evidence - often by several buyers at once. Map once and you cut the supplier’s burden, speed up your own assessment, and report against every framework from a single source of truth.
Occasional, practical notes on UK public-sector cyber risk and compliance. No spam, unsubscribe anytime.
We will map a single control across CAF, ISO, CE and NIST live.