I have found that even the free cisecurity.org tools run on each server is a great place to start. A 50 page report on each server with all its pass/fails. I think the free one even offers you the regkey fixes, or mskb to fix each issue. Documentation is key. Im not sure what the different levels are/mean although I have heard some talk about them with my clients and their respective auditor.
A lot of the information will also come from the auditor once you pick a company they normally send you a lot of information to help get you going in the right direction. Maybe at your level you don't require an on-site audit. The ones I do have a 3rd party auditor authorized by Visa/MC to come onsite every year, and also do pen tests every quarter. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
