Implement industry standards and best practices

Implement industry standards and best practices, don’t rely on compliance. Compliance requirements help to establish a good cyber security baseline to address known vulnerabilities, but do not adequately address new and dynamic threats, or counter sophisticated adversaries. Using a risk-based approach to apply cyber security standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.
Source :
https://www.connectsmart.govt.nz/assets/NCSC-Cyber-security-risk-management-Executive.pdf