One very common area where business contract to certain security practices is merchants contracting with credit card companies who require PCI compliance. Where both SOX and PCI compliance differ from your question is that the standard is set by an independent third party and the two contracting parties basically agree to abide by that independent standard.
Since the standard is objective and maintained by a third party, it is possible for someone to audit the firms for compliance, in fact most merchant agreements require PCI compliance testing.
While it may be overkill, you could have a contract requiring that your partner comply with either the NIST standards or Federal Information Processing Standards (FIPS). By writing simple language such as "Firm X warrants that it will comply with X standard" rather than trying to incorporate the provisions of a standard into the contract, resolution would be much simpler and less costly in the event of a breach or dispute because of trying to argue over what the provisions of the contract say, it becomes a simple matter of getting a third party expert familiar with the referenced standard to opine on compliance with that standard.
Finally you need not require compliance with the entire set of FIPS; for example you could reference FIPS 197 for data encryption and FIPS 112 for passwords.