compliance requirements are the table stakes you should do you in your sleep so that you spend most of your time decomposing risks (attack graphs or not). It's a mistake to dismiss compliance (or CIS in another posters comment) as useless, they are basic - and the fact that so many cant deliver the basics is a huge issue.