2 items with this tag.
Most organisations start with standardised control catalogues and work backwards to justify coverage. Few start with business context, threat landscape, and actual vulnerabilities to determine which controls reduce risk and which waste resources.