<p>It was about time (ISC)2, ISF and ISACA got together and put on paper principles that many of us have used for a long time.
I doubt that those that still feel IT and InfoSec are “The
Stewards of the One True Way” will ever read them, much less decide to
actually follow them.
It is definitely good to see principle A1: Focus on the business.
However, keep in mind that A1 and A3 can and will at times clash. When they do, B1 to the rescue. Compliance with relevant regulatory
requirements is just another risk you need to manage. Compliance with
legal requirements is only optional if you work for an organised crime