You will need to make a decision on what set of controls is most appropriate to use within your organisation. From this set of controls, you will select those controls necessary to control risks, and meet internal and external requirements. Sets of controls include:
ISO/IEC 27001:2013 Annex A
CIS Critical Security Controls
Some countries may have their own control sets, for example the UK specifies five controls for basic cyber hygine in the Cyber Essentials standards.
Particular domains for example, scientific collaboration environments, may also have their own control sets.
This section should have a reference to ISO 27001 chapter 6: planning.
...