If you have Information Security or InfoSec questionnaires from clients, start there. Many questionnaires have evolved into highly complex, in depth, multi-tabbed nightmares for InfoSec practitioners to fill out. Problem is most of the time are covered by BAAs and NDAs which is one reason your likely not getting people sending you their excel spreadsheets.
Second reason would be the use of that 'c' word is likely cutting your search results down to a very small sample. Many practitioners consider the 'c' word to be slang or part of some hype machine used by the ignorant or politicians. Great for schools and government types.
Use your favorite search engine and try this transom: Information Security infrastructure checklist
Lots of examples to peruse.