There are a seemingly endless number of information security frameworks available to the practitioner, life cycles to aid in understanding, and policies derived from frameworks. In many cases the implementation takes place but unless it is an audit item or there exists regulatory compliance requirement, there is very little enforcement. I have witnessed this in every major corporation I worked with. In most cases this is because of limited knowledge, or limited number of personnel, which is driven by budget priorities. Renewing the club membership for senior executives is more critical then adding one more person for policy compliance. I write that without a hint of sarcasm. If I have a senior marketing executive whose efforts are growing sales, it is money well spent. Take that away and he may move to a competitor. Sales and marketing are the apex of the pyramid, everything else is support.
Companies invariably treat various forms of regulatory compliance as a nuisance to be dealt with not as a risk management tool. The correct approach is to do risk management properly and the regulatory compliance will follow. This is well known. It isn’t done on the whole, however, and many infomation security managers use regulation to push through better practices under the auspices of meeting compliance. It is ineluctable that regulatory frameworks will become outdated as innovation occurs, and those companies whose regulatory tail wagged the risk managment dog will be more vulnerable than ever.