If your company is really serious about HTTPS security, you will not be using Let's Encrypt
Heresy, right? Not really.
If your company is really taking the topic seriously they will set a DNS CAA record. It's a TXT record for Certificate Authority Authorization and lists the CA's allowed to issue certificates for your domain and subdomains. ALL CA's are required to check for the presence of that record. No record means any CA can issue a certificate.
Use Let's Encrypt, even with a CAA record, and yeah, you know what they say about "free" products... From their FAQ: "Let’s Encrypt is run by a small team and relies on automation to keep costs down. That being the case, we are not able to offer direct support to our subscribers." That does not give me a warm and fuzzy feeling. They are providing a great service but my opinion is it's not for security-centric organizations.
Use a real, paid-for CA and list them in your CAA record. You'll have two-factor logins for your account and probably IP address restrictions. That will keep someone from creating TLS certs for your domain without your knowledge unless they can social engineer the CA into lifting the source IP address restriction as well.
Just as importantly, see if your domain registrar can set a "lock" on your domain registration at the top level domain. That will create a multi-step process involving PINs and phone callbacks before changes will be permitted to the authoritative DNS servers. It pretty much eliminates the most common domain hijacking attack.
No, I do not work for a CA or a registrar.
This site will help you learn about CAA records and can give you the needed syntax as well as test your record: https://sslmate.com/caa/
No, I have no affiliation with them. They also have a Certificate Spotter service, free for up to five domains, which will alert you if a certificate is issues for your domain.