When creating a security program, there is a need to be objective. Over the years i have seen many businesses start such a thing and then create a huge array of paperwork with it. One such NZ company, a decade ago, managed to set up a Framework and a Compliance program with over 300 controls and then tried to validate them all, at the same time. At the height of it, there were 50 people involved in trying to check everything and the effort diverted entire teams away from operational work for months. Lauded as a compliance exercise all it ever did was confuse everyone on what was being achieved. It is best to have a set of critical controls, which must be effective at all times, particularly if the company is critical infrastructure in NZ. Others can be there because they are relevant but priority must be given to ones where the failure of the control represents the real loss in your risk assessment. Your board and C levels officers should back you up because this is their money and assets that will be lost.