Information security practices

What is the standard of good practice or “the gold standard” of information security practices? How do organizations measure the effectiveness of best practice information security practices and IT Risk Management measures?