This document proposes building a scorecard for evaluating security management and control frameworks. It discusses issues with existing frameworks becoming checklists over time and proposes a rational way to judge frameworks based on factors like efficacy, completeness, robustness, and cost for organizations of different sizes. The document shares initial reactions to frameworks like ISO 27002 and PCI-DSS. It aims to prioritize effort, allow split-horizon assessment/audit, and end "Legislation Amateur Hour" through conscious design of security frameworks. The author questions if they have proposed something better for governance, risk, and compliance (GRC) or gone too far.