Best Practice is defining your Best Practice
Most IT professionals will have their own idea of best practice and some vendors even provide tools to check for their flavour of best practice. Often however best practices are not quantified or measurable and as such are in the eye of the beholder. Worst still is that best practice is very often overridden for business reasons, such as being too difficult or too costly to implement.
Best practice does not give your systems an impenetrable shield, data breaches, failures and human error can still happen.
In your organization, define best practice, document it and share it. Also record exceptions for business or technical reasons, identify, justify and document the risk of not following a best practice.
Auditors may consider common practice to be implicit in best practice, like having the necessary security architecture or not configuring a firewall to allow all traffic. Talk to other companies that do what you do through information channels, share the types of activities you perform to mitigate risk and adopt ideas if they are right for you.
Don’t expect doing what everyone else does will help you pass an audit but if you’re not doing the things your best-run competitors are doing, you’re open to the charge that you have not met reasonable standards for “duty of care.”
Just saying that you adopt “Best Practice” is an illusion that could someday be uncovered.