A very good overview how ESXi can be hardend including a framework in the background can be found here:
CIS_VMware_ESXi_6_7_Benchmark_v1_0_0.pdf (bobylive.com)
To start securing ESXi, you should leave SSH disabled and activate Lockdown Mode in vCenter. If further steps are required to fullfill audits, please checkt the benchmark guide above.
