Regardless of organization, country, or industry the goal is to protect information, and that is done pretty much the same regardless if your protecting data that is the color of ducks or credit card transactions.
1. do you have regulations you are subject to? Meet those, now your compliant.
2. Do you know all your assets?
3. Do you know all your IPs?
4. Do you know all your windows/doors (access points in and out of your enterprise)?
5. Do you kKnow where data is exchanged, or where systems interface?
6. Do you know what your employees are accessing?
7. Do you know what devices or people are plugging into your network?
8. Are you looking for new vulnerabilities?
9. Are you updating, and patching?
10. Are you tracking changes?
11. Are you backing EVERYTHING with a policy? Policy management program?
12. Do you have adequate resources, staff, skills, knowledge, on going training, management, funding?
13. Do you have Business contitunity planning?
14. Do you have Disaster recovery?
15. Do you have a Back up strategy?
16. Do you conduct Pentesting/ security assessments (completed on internal and vendors)?
17. Do you have a Vendor management program?
18. Do you have a Risk management program?
19. Do you have a Threat hunting program?
20. Do you have a On going awareness training of non-technical staff? And role based training of staff?
21. Do you have a Data classification program?
22. Do you have a Encryption strategy?
23. Do you implement DevSecOps?
24. Do you have Loggingand monitoring
I look forward to see what others add. And I hope this helps.
Point is, even without a formal framework, if your asking the right questions, then applying adequate solutions, and it’s on going you reduce risk to your company, and provide a more secure enterprise.