Evaluate control statements against frameworks (ISO 27001, NIST CSF, PCI DSS, Essential Eight, GDPR) with evidence-aware scoring and external crosswalk mappings.