Stanford Human Risk and Resilience has many years experience in preventing and dealing with cyber security breaches, including managing communications with the ICO. An important element of post-breach ICO reporting is 'what did you do before the breach'. To have what we call a 'defensible position', you have to show appropriate preventive actions to demonstrate that you behaved responsibly.
For most people, this starts with some kind of independent assessment, highlighting cyber security weaknesses and helping you fix your vulnerabilities.
Depending upon your business, this could take many forms, ranging from simulated hacking exercises, technical reviews of your systems, or analysis against a recognised security standard such as Cyber Essentials (for small businesses) and ISO 27001.