The ISM Community has published the ten most important things all organizations should be doing regarding information security. Having played a role in this I am admittedly a bit bias, so I will leave all judgements open to the reader.
I especially enjoy the tips and tricks from the field. 
I just put up the “Somewhat Semi-Official Press Release” at the following url:
http://www.ism-community.org/blogs/trainingandawarenessblog/archive/2007/06/29/ism-community-releases-top-ten-for-it-security-management.aspx