What framework are you basing your security program? I am trying to suggest the use of the CIS Critical Control framework due to its excellent mapping to other compliance requirements.
I recommend the NIST Cyber Security Framework to my current/former clients. It maps to almost everything.
It was also recently updated to version 1.1 - available here:
Incidentally, AuditScripts has a nice security control cross-mapping spreadsheet that includes almost all US and many international control standards. You can download it here:
I love the work from Auditscripts! The CSF is one of my other favorites, but I am partial to the CIS.
If you like the CIS controls, then you might also want to check out the new Secure Controls Framework. Its in Beta, but is still useful.
There is a small amount of overlap with CIS, but quite a bit of it is unique.
They seem to be trying to incorporate various best practices with security controls frameworks… which seems like a good idea in my book.
What I really like about it is that they show what is needed to meet the control objective; be it various corporate programs or steering committees, policies, metrics, etc.