Setup of Governance, Risk and Security department

Broadly speaking, to set up a new department in an organization is very similar to the implementation of a management system, and you should consider:

• the identification of a clear reason why you need this new department (e.g., it will fulfill a business need, it will give a market advantage, it will comply with legal requirements, etc.).
• the definition of objectives, goals, and targets
• the performing of risk assessment, to identify relevant risks related to the achievement of objectives, goals, targets.
• the definition of an action plan, considering the activities the department must perform (e.g., risk management, audit, controls implementation, employees training, etc.), which competencies you need (i.e., job descriptions), how many people will be required, and how it will be its internal organization (i.e., hierarchy). At this point, you will define which policies, guidelines, and controls to implement to mitigate risks to the achievement of objectives, goals, and targets.
• the identification of requirements related to space, equipment, and facilities.
• how to fill job vacancies (e.g., internal placement, or external hiring)
• the definition of a specific budget
• top management approval of the proposed department

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

The concepts in these articles, although applied to ISO 27001, can be used to set up a new department from zero.