I have a small part of the task of establishing "reasonable security procedures and practices" for a small company that hosts personally identifiable information. (PII) Their stack is Nodejs apps and SQL database back ends hosted in AWS.

My last job was in a PCI environment. Because the standard is pretty thorough, it was time consuming to set up, but not too hard to pass. NIST has many standards. The ones I read seem to apply to government contracts to various agencies.

For example, Calfornia has a law that defines PII, but provides no guidance as to what is minimal care: http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.81.5

I am no longer in an industry that needs PCI standards and am at a loss as to where to go. Per the title, is there a documented standard for "reasonable security procedures and practices?"