The thrust of this article is that you should start with a data mapping exercise. I usually ask the question “What do you want to protect” as that drives the asset identification, prioritisation, and risk mapping against threats that should be the foundation of any security program…:
[…] There are also significant tools that can support the effort. One of the most important is the Cyber Assessment Framework, developed by the National Cyber Security Council, through which public service providers can identify any weaknesses in need of urgent remedies. It can be used to drive procurement, initially looking for the areas where the spending can have the biggest impact at the lowest cost.