The product I spend most of my time working on sells as a managed service to the investment/advice banks, and even though we only deal with the T&C side of things (no money, very little by way of client data (it should be zero client data really, but as names and other identifying info sometimes creep into file-check records and such they have to take precautions based on the service having more than just employee details within)) we have to keep with that sort of standard: ISO27001, everything dedicated including firewall boxes between "their" machines and us (& the rest of the DC, obviously), regular penetration tests, they even require background-checks and other vetting of our staff.