Implement industry standards and best practices

Implement industry standards and best practices, don’t rely on compliance. Compliance requirements help to establish a good cyber security baseline to address known vulnerabilities, but do not adequately address new and dynamic threats, or counter sophisticated adversaries. Using a risk-based approach to apply cyber security standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.
Source :