Setting up the rule-set which governs the Cyber Security Function will always be a rewarding effort.
Consider installing and maintaining the necessary organisational instruments to deploy operational and managerial functions, including
management KPI's.
On the managerial side, all elements of the PDCA circle will be covered. Do you remember the Deming circle Plan Do Check Act?0
NIST CSF or ISO 27001 may be used as subject matter body of knowledge. COBIT5 likewise.
Combining ISO 27002 and NIST-800-53 and inserting CIS controls is a good start needing commitment.
Risk Management will need to given more depth allowing better support for OPEX/CAPEX decisions.
Combine ERM and ISO 31000, adding FAIR MITRE ATT@CK where needed, just make sure to make it part of your Governance suite.
Through this link you have the page where you can request for more information.