I've been reading a good, common-sense, article entitled "Compliance Optimization: Defining The Right Level Of Control" written by Michael Rasmussen and published by Forrester. Michael states that we should take "a risk-based approach to compliance and control management." I concur - the point being that we might have a tendency to be seen to be ticking all the right boxes against the compliance checklists without really understanding the implications or the risks that need to be addressed.
Michael goes on to state: "Defining your control environment around just-add-water best practices is exactly what we are trying to overcome." Here's an example: let's say we identitfy gaps in change control processes that prevent compliance with a particular new piece of legislation and decide to address the gap by purchasing some new software. That's fine, we are now compliant! This however, is wrong. Why did we have gaps in the first place? Do we understand the implications of those gaps and where and why we were exposing ourselves to risk as a result? Unless we can answer those questions then we might be ticking the right compliance box but we are not delivering security to our stakeholders.
Forrester have a security and risk management blog here: http://blogs.forrester.com/srm/.
There's another interesting one here from Mcafee: http://siblog.mcafee.com/?cat=15