The fundamentals of these frameworks are not inherently bad. The main problem is that they are treated as the checkbox solution that should be implemented regardless of context.
If you take your IT security work seriously you will in most cases already fulfill the requirements stipulated in the frameworks, and if you are setting out to get started with more structured approach they are a good place to start.
What cannot be understated however is the need for context, IT security is a set of choices that determine where you will have exposure and those business risk. For any business these will be different, as regulation and value creation differs. Exactly as any other risk management, but for some reason this does seem difficult for most to understand.
If you take your IT security work seriously you will in most cases already fulfill the requirements stipulated in the frameworks, and if you are setting out to get started with more structured approach they are a good place to start.
What cannot be understated however is the need for context, IT security is a set of choices that determine where you will have exposure and those business risk. For any business these will be different, as regulation and value creation differs. Exactly as any other risk management, but for some reason this does seem difficult for most to understand.