Probably not. In my experience most standards are pretty broadly defined with hardly any technical requirements.
For instance in ISO 27001 it states that you should create awareness in your organisation about information security. A very minimal way is to send a mass email to everyone in the organisation or hang up posters in the office. But I also spoke to someone that was determined that a half day security awareness training was minimally required.
As someone who has worked in both PCI and PHI environments (and by extension PII), often times these aren't actually about compliance but about someone's interpretation of compliance.
What tends to happen is that auditors aren't going to tell you not to do something you don't have to, they're going to tell you to do to the things you must. Then the ones going "above and beyond" become convinced they're great at this compliance thing and others who don't do it are mistaken.
A perfect example is that PCI compliances requires firewalls but I know of a CISO that insisted on hardware level separation between networks with no way to bridge between them. The amount of pain and harm he did to that company cannot be overstated but he was convinced it was a requirement of PCI-DSS.
Probably not. In my experience most standards are pretty broadly defined with hardly any technical requirements.
For instance in ISO 27001 it states that you should create awareness in your organisation about information security. A very minimal way is to send a mass email to everyone in the organisation or hang up posters in the office. But I also spoke to someone that was determined that a half day security awareness training was minimally required.