...
Understand the legislative framework in which the business exists (eg does the Mandatory Data Breach legislation apply to you, are you a financial organisation and need to follow APRA regulations).
Understand the risk appetite of your business (this will probably evolve over the course of doing the assurance process).
Conduct a risk assessment (either formally or just as you are going through the assurance process).
Understand or create a cybersecurity strategy - it could be as simple as “we need to be better at cybersecurity” or a full document that states goals, objectives, steps, and priorities).
Understand the controls required - you may need some help with this. Like what exactly is Application Control?
Understand the scope of the controls within the business - eg is it just the Administrative side of the business to tackle first, or is there Manufacturing, or other areas of the business that needs to be addressed later.
Implement the controls as outlined in the Assurance level you are wanting to achieve.
Document the controls put in place.
Monitor, measure, and audit the controls regularly.
Rinse and Repeat.
...