I understand that desire entirely, but I’m not sure if it would work that way. Take an ISO 27001 certification (or SOC, if you like): There is no one clear set of things to do, but both guidance and requirements that you need to address and be able to defend your concrete implementation.

And I generally like that a lot better than having a set of hard this-way-or-no-way checklists that invariably consist of 80% bullshit ceremony for giant corporations. ISO nudges you toward that too, but if you’re able to deliver the same security guarantees with less, auditors will usually be happy.

The same, in general, works for GDPR regulations as well: The law is mostly about doing the right things, but not spelling out the billions of cases and permutations and strategic decisions involving privacy in one way or another.