“Compliance is just theater. Checkboxes don’t equal
security.” I'm sorry, but this is just wrong.
Why? Because every authoritative framework worth
pursuing has mandated risk management. It’s not hidden in an appendix.
Every Major Framework Explicitly Requires Risk Management
- SOC
2 (Trust Services Criteria): CC3.0 Risk Assessment and CC9.0 Risk
Mitigation are mandatory common criteria. No documented risk assessment =
automatic failure.
- NIST
SP 800-53 Rev 5: The entire RA and PM families require an
organization-wide risk management framework. Controls are then tailored.
- PCI
DSS v4.0 Requirement 12.2 mandates a formal annual risk assessment.
Requirement 12.3.1 introduces targeted risk analysis to justify control
frequency.
- ISO
27001/27002 (2022) Clause 6.1.3 and control 8.2 require you to
establish, implement, maintain, and continually improve a risk management
process.
- And on
it goes.
These aren't suggestions. Risk Management is a mandatory
exercise.
You are required to exceed minimums when your risk
demands it. The frameworks explicitly say the baseline is a floor, not
your high-water mark.
What About Breaches?
When organizations are technically “compliant” and still get
breached, the failure is almost always tied to a nonexistent or terribly
executed risk management program.
Mature programs:
- Start
with the required risk assessment, then select and tailor controls
- Apply
stricter measures to high-risk/crown-jewel assets, lighter ones elsewhere
- Exceed
minimums where their own risk analysis justifies it
- Continuously
reassess because every framework demands it
That’s not “checkbox compliance.” That’s literally what the
standards require.
So next time you’re tempted to say “compliance doesn’t equal
security,” I'm curious to see your last risk assessment that actually drove
control selection.
Because if your takeaway from reading SOC 2, NIST, PCI DSS, ISO, etc. is “just a checklist,” the problem might not be the framework...
