Here's an interesting questionnaire published by the world bank as an assessment methodology for organisational security.
I've not had a chance to go all the way through it in detail, but it looks like it's got some interesting ideas in it. However one thing that I'm not too keen on in it so far is the section structure. they seem to have sections at very different levels of detail. For example one section for authentication/access control, quite a large area to cover and then one specifically for active content control for Internet access, which is a very specific area to cover!