Compliance guidelines such as PCI DSS, ISO, SOX, and NIST usually define desired outcomes, but don’t recommend any specific technical checks for actually achieving them. How can you "check the box" without knowing which specific tests are required for verifying the security configurations on any target asset?
For example, you may have to implement and validate technical policies and processes that ensure secure data transmission, limit access to information, or protect the integrity of customer and employee information. However, how you actually achieve these requirements is left up to you to work out.
For instance, consider this specific PCI DSS 3.0 requirement: PCI DSS 2.2.2—Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
In this case, the requirement is clear, but how would you confirm that only secure services, protocols, and daemons are enabled and that all unnecessary and insecure services are disabled across your entire infrastructure according to PCI DSS requirements?