Define your critical services
Define Damage / Risk classes for those services
Get the right literature for this
(Germans: Start with the "Grundschutz Handbuch", but don't take it as a dogma)
I once did the Grundschutz - Audit for my old balcony that was crammed with computers. A good practice to learn where I had neglegted best practices etc.