FedRAMP is a recent US government initiative to standardize the way security is assessed for cloud service vendors. As you might expect from the government the security guidelines are voluminous. The system security plan alone is 353 pages! Unless you are competing to provide cloud services to the government you may not be able to implement such a comprehensive plan.
The reason I mention it it here is that IT and IT Security managers will find a lot of practical information in this plan and on the FedRAMP documentation page. A subset of this of plan is certainly practical for smaller shops. If you review it I think you will find many ideas for how to improve your local security even if you are not a cloud service provider. The plan is comprehensive and cover a wide range of topics.
It emphasizes written plans and written policies and procedures. I think these are good idea. The goal is to balance documentation and agility. Planning is an important management responsibility and should be captured in writing. This is needed for audits but is also a great communication tool. All the IT staff need to understand their roles and the procedures to follow. IT is not only about fighting fires.