Don't start from scratch, use a framework

Do not start from scratch when you begin to establish your information security program. There are many excellent frameworks that exist that you can use to establish your information security program. Look to standards such as the ISO 27000 series, NIST Cybersecurity Framework, or COBIT 5. These organizations have collectively spent millions of dollars to establish these frameworks. Additionally, these frameworks have been peer-reviewed by thousands of subject matter experts. Your organization is not going to be able to bring these sorts of resources together in order to plan out a new framework. Take advantage of the previous work done by other great professionals and apply an existing framework within your organization.