The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 (ISO 27001) series of standards is a set of best practices that provides guidance to organizations implementing and maintaining information security programs.
An important aspect of ensuring compliance with the information security program is the education and awareness of the organization regarding the importance of the program.
Also commitment from senior management provides the basis to achieve success in implementing an information security program.
https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html
https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html
https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html
Basically, they're asking you to create written documentation showing how do you protect your data. CIA (Confidentiality, Integrity, availability).
These names are regulation/compliant for your company. (SO27001, PCI-DSS AOC, SOC Type II.) HIPAA is another one, feel free to google it up.
In short terms they want you to have documentation to show the company how are you protecting its data.
For example
1- What is the policy for a user when they leave the company.
2- Are you encrypting the data such as (outbound emails, VPN, what encryption methods are you using).
3- What are the password policy in active directory, are you locking the machine after an Idle time?
4- How often you run updates, does your company deals with social security or any confidential information, if so, are they being encrypted?
This can give you an Idea.
Cheers.