This is what a NIST implementation looks like: https://www.irs.gov/privacy-disclosure/safeguards-program . IMHO, the SANS 20 critical security controls would be more useful: https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Cont...