Ill just break it down fully.
The owner of my company is working on a partnership deal with an insurance company. His plan is for us to survey a potential client’s network, and analyze the security based on a set of industry standard guidelines. If they are deemed secure, or purchase the equipment and service we provide(thats the key here) then they are approved for a cost-effective Insurance plan for their data and network.
We are a security experienced group of 4 engineers, all of us our MSCE, and two of us are Security+ certified. Analyzing and finding security faults is no difficult task for us, things like password policy, use of domains instead of workgroups, DMZ, NAT, etc etc. However, we are having trouble finding unbiased industry standard documentation for the basic networks we are dealing with. We are considering purchasing the ISO 27000 documentation online, but I wanted to ask around if see if anyone has ever dealt with anything similar. I appreciate any guidance in this matter. Thanks.