From the perspective of much of the literature dealing with Information Security Standards, the decision to adopt or follow such standards is mainly a technical decision subject to regulatory requirements. This paper explains why the decision to adopt an information security standard is one taken in a complex marketplace of competing standards, competing service providers, competing security design methods, and competing national and international legislative requirements, all under the oversight of closely watched audit firms and government regulators. While the dependence on standards for guidance in information security is growing, so is the complexity of the decision. The decision affects the economic justification of internal controls in information systems. Without regulatory standards, risk economics are necessary to justify acquisition and implementation of controls. With regulatory standards, risk economics are necessary to justify exceptions to the acquisition and implementation of controls. The impact of this economic shift may drive down organizational competitiveness or increase misleading compliance behaviour among IT professionals.
Baskerville, Richard, "The Information Security Standards Marketplace" (2006). ACIS 2006 Proceedings. Paper 90.