While many of these controls are best practice, not all have a non-trivial impact to the security posture nor upon assessment, fit into a risk managed environment. We recommend the security requirements be prioritized. A more stratified approach to control requirements would be more digestible than the current one size fits all approach. This would go a long way in enabling Industry (large, medium, and small) companies to know where they need to allocate resources and spend incremental funding based on both Govt and Industry applying a risk management process that accounts for minimally environments, situational awareness, and evolving threats.
While many of these controls are best practice, not all have a non-trivial impact to the security posture nor upon assessment, fit into a risk managed environment. We recommend the security requirements be prioritized. A more stratified approach to control requirements would be more digestible than the current one size fits all approach. This would go a long way in enabling Industry (large, medium, and small) companies to know where they need to allocate resources and spend incremental funding based on both Govt and Industry applying a risk management process that accounts for minimally environments, situational awareness, and evolving threats.