Both excellent answers, I’d just add to them by saying that policy is going to to be flexible and informed buy sectoral and regulatory concerns - many resources are available to begin formulating this - but I think that aligning policy to business goals along the architecture provided by TOGAF/SABSA is a good way to start however there are other places and selecting the right approach, developing and co-opting terms of reference makes good sense so you can talk about the same things(engineering terms and traceable requirements help you to reduce ambiguity (shall, will, must are always better than should and can for example).
If you’re beginning it’s good to keep it flexible and identify the critical few items required to make something functional. A good asset inventory of HS/SW/Information is a place you can records the value of assets to begin to create something that you can think about, and seek input from business and other stakeholders.
There are plenty of control frameworks and qualities risk is likely to be quicker to start than qualitative, but dollar data is good - even if it’s just asset cost and paid up company value) .
Good practice satay handling and an AUP for users is critical, as is informing about monitoring, asset ownership etc.
Remember no control will be perfect and need to look at priority, plus once it’s deployed what’s residual risk? Measurement on a cadence is critical malware/attacks blocked where/when/ how? You can spend loads on funky EDR/XDR(allow me to sell you one) but if you’re not patching well might not help and without good layered security email, proxy, CASB, SASE, isolation, endpoint security, good supply chain hygiene you might just find yourself chasing shadows.
Not all controls are technical in nature and some of the best aligned to your organisations culture are going to come cheaper and can be more valuable then layering technology - don’t do this, do do that, lock your PC and don’t take snaps basically free if everyone buys in.
Now we get to the proper systems part Plan, do, check act. Take the output from your metrics on the controls in the enterprise and feed them with external sources into your policy - select a few good internal/external benchmarks and report on them through your baseline, decide what to do on your best cycle and don’t for get to ask for budget!
If you’re policy, docs, controls, reading on threat landscape, what matters to the business are fed back in planning and design through transparent feedback loops it’s possible that you just take Eric’s advice about circularity and shape that the a cyclical improvement process - remember you never get an ideal starting position(even if you think you did) so embrace change, select the best metrics(not too many) and consider value and cost - but ultimately resources are limited and once you’ve the best metrics and dashboards you can make prioritise and with stakeholders make the judgement call - remembering to review your policy and sign-off on the agreed roadmap and plan with your colleagues and stakeholders.
