If you don't have these, well what's your problem?

If you are in the security function of a medium sized organisation and you don't have the following under control..... well here's the list and a place to start if you don't:
- job descriptions for members of information security function
- list of business units and a key contact in each you know
- list of critical business processes and key applications for each business unit
- schedule for risk assessments of processes and applications
- some completed risk assessments (incorporating security policy compliance checks)
- security policy framework (aka ISMS)
- endorsed security policy
- some endorsed standards (esp. acceptable use, password, secure configuration )
- some processes
- some procedures (esp. Firewall mangement )
- matrix of security controls and results with forward schedule
- schedule for pen testing program for critical applications
- copies of business unit risk registers
- vulnerability management solution and some completed scans
- log management solution and plan for enabling logging on end devices and associated alerts
- security awareness material for induction training
- enterprise security strategy with list of treatments that security function are running with
- governance reports to stakeholders