Information security standards are the quantifiable/measurable metrics that can be used to:

• Determine an organization's compliance with compliance standards or internal policies
• Determine whether or not a specific performance SLA is being met

An organization should use an already existing standard, such as those from NIST or ISO, rather than creating their own standards. The process of creating a standard is incredibly time-consuming. Tailoring an already existing standard to suit your organization's needs is a better option.