Unfortunately there is no one size fits all, or even one size fits most. Your organizations needs and goals are unique to your organization. As far as securing things I would start with Configuration Profiles to enable FileVault, and limit user access (restrictions). You may need fundamental environment reworks to properly secure devices. For example MacOS is designed to be deployed 1:1, and you really want FileVault enabled to encrypt the disk. However if you are using shared Macs, enabling FileVault puts a lot of work on the Admin as you need to assign Secure Tokens to new users as they log in (manually or with a script). If the device is secured within a lab you may not want to enable FileVault. Policies would install applications and configure things with scripts, I would do Policies after having the Configuration Profiles in place.
A good goal to use would be the NIST Benchmarks, you can start with CIS L1 but many orgs use CIS L2. There are tools you can run to see what your gaps are against the benchmark. JAMFs Compliance editor may be worth looking in to if you are just starting out, it will make many of the configuration profiles for you.
usnistgov/macos_security: macOS Security Compliance Project (github.com)
Establishing Compliance Baselines (jamf.com)
