What is the industry-standard recommendation for where non-functional security requirements end and enterprise requirements begin?

I have been tasked with coming up with security requirements for a project. I am finding it difficult to find the line between where project specific, nonfunctional requirements end and general security requirements for the enterprise begin.

For example, access to an SFTP server must require IP whitelisting vs. privileged access reviews must be conducted on a semi-annual basis. The former is specific to the project at hand while the latter should be applicable to the organization as a whole, the current project included.