I think the intent here is to note that there may be business requirements about these that affect the security of your business.
For example, if anyone pays you through credit cards, PCI DSS is non-optional. Certain transactions of health information will require Hitrust. Without them, you won't be able to do business, and while they seem large (PCI DSS if you have another company handle the cards, is a very simple self-assessment.)
For example, if anyone pays you through credit cards, PCI DSS is non-optional. Certain transactions of health information will require Hitrust. Without them, you won't be able to do business, and while they seem large (PCI DSS if you have another company handle the cards, is a very simple self-assessment.)