What it comes down to is risk
Any good information security program should always relate to the business case and its tolerance for risk. The risk tolerance of an organization is the baseline that the program should address, including any additional legal requirements.