As cyber-security moves to the forefront, there are no shortages for frameworks for implementing cyber-security. Generally, there are two broad categories of frameworks, prescriptive frameworks, such as NIST, or risk-based frameworks. So what is the difference?
Prescriptive frameworks tend to be top-down requirements that must addressed. Basically, these are one-size fits all. Risk-based frameworks are more bottom-up in that risks that are specific to the system are identified and controls are designed around those risks.
There are costs and benefits to each approach. Prescriptive frameworks provide standardization and work well for specific industries. However, they can be costly to implement. Risk-based frameworks can be less burdensome and address the nuances of a given system but there is always the concern that some risked might not be addressed.
So which one to use? It depends. Risk assessments can determine which parts of a prescriptive framework to apply. Prescriptive frameworks can also be used as a guide for a risk-based approach.
Ultimately, it is up to the organization to decide which path to take based on industry regulations, best practices, experience, and the current environment.