It was in the consultants role recently that I got some sage advice from the security lead at a favorite client. I had just completed a full vulnerability assessment complete with penetration, VA scans, ISO17799 interviews, inter-domain communications leak analysis...the works. They looked pretty good. Better, in fact, than most I have seen over the years.