Broadly speaking, you can consider these controls:
- A.6.1.2 Segregation of duties
- A.8.2.1 Classification of information
- A.8.2.3 Handling of assets
- A.13.2.1 Information transfer policies and procedures
- A.13.2.2 Agreements on information transfer
But please note that ISO 27001 Annex A approach to grouping controls is not related to specific processes or business units, but to security objectives to be achieved.
Considering that, without the results of risk assessment and the identification of applicable legal requirements (e.g., laws, regulations, and contracts), it is not possible to define controls specific for finance.
These articles will provide you a further explanation about the identification of requirements and risk assessment:
These materials will also help you regarding the identification of requirements and risk assessment: