One thing to remember that large companies love things which they can point to if something goes wrong. PCI isn't regulation but it's widespread because the credit card companies require it. Depending on the industry you might also find CIS pretty common (https://www.cisecurity.org/) and the U.S. federal government space will mention STIG (https://public.cyber.mil/stigs/).
These are built into common assessment tools so you'll get identical policies down to things like byte-for-byte identical PAM module config because most places just licensed one of these tools and demanded everyone use it.
These are built into common assessment tools so you'll get identical policies down to things like byte-for-byte identical PAM module config because most places just licensed one of these tools and demanded everyone use it.