Many myths and misconceptions exist regarding the adoption and selection of frameworks and standards. Simply stating that one is adopting a single framework causes other professionals to raise their eyebrows. These misconceptions are founded on the inability of a single program to address an entire enterprise's operations and control needs. Those who took the U.S. Sarbanes-Oxley (SOX) Act literally and endeavored to fully adopt one of the few named standards in the official documents completely experienced this situation, much to their regret. Likewise, if only a portion of a control is adopted, then it is believed that the organization may somehow miss out on important tenets and core risk management techniques.

The idea that an organization must adopt an entire framework fully or risk being vulnerable to cyberattacks, financial misrepresentations, or some other unfortunate event is inaccurate. An organization need not implement every control outlined in a single framework. However, it should at least consider every control and determine if it is appropriate for the organization to implement.

Unfortunately, governments that identify single frameworks and service organizations that promote specific standards perpetuate the illusion that one framework or standard is the solution to all compliance and control needs. Such proclamations steer organizations to adopt a separate ...