I think you might find this seminar helpful.

as a starting point, you can take the 21st order of the FSTEC. CRM explicitly processes personal data, so it will not be superfluous. Basically, this is access control, differentiation of rights, logging of actions. If you plan to exchange data with counterparties, you should think about integrating cryptographic information protection and key management.

Document template "Terms of Reference for the development of automated control systems". You can download here

Any technical task, first of all , is written based on the requirements of the customer and the common sense of the performer.
There are a number of guidance documents on information security in general ( FSTEC website ). If specifically for CRM, then first of all we look at RD "SVT" and RD "AS" .
Further, there is a decree of the government of the Russian Federation No. 1119 and the 21 order of the FSTEC already mentioned here
Documents from the first series tell how to write a system for security requirements, i.e. what specific functionality should be implemented there, what mathematical models it should correspond to, etc. Documents of the second series tell you exactly what you need to complete your system to make it safe.
In the case of your CRM, you will write it yourself, based on the RD. But writing the OS itself, DBMS, firewalls and other components is pointless, there are a lot of ready-made solutions on the market. So here's what exactly the OS, DBMS, FireWall, etc. should support. this already describes 21 orders.