I've long been a fan of the advice from the Australian Signals Directorate (ASD) [previously the Defence Signals Directorate (DSD)]. Not too long ago they changed their "Top 4" to their "Essential Eight".
What I like about ASD's advice is that it's easy to read, in comparison ISO 27001:2013 …
