Thank you for this discussion. It helped me form an approach to this topic in my mind. Here I write the most important points from my perspective: General rules 1. Start from the high level. Defining a starting point: do we deal with payment? (reviewing security for payments), for banking (law regulations, legal regulations). 2. What do we have to secure? What is the core value of this IT solution: knowledge of how it works, data, and payments? 3. Research information: ISO, online (e.g. discs standards). Looking for standards for the specific domain. 4. What must be secured? Why? What are the consequences of a lack of security? Don't forget: a. Sometimes the research is required-this takes time, and it needs to be communicated. b. System monitoring, and solution evaluation-iterative way. c. Remember about impacting security on performance, and usability. d. Finding people who can help. e. Thinking about how to test requirements.