What you are explaining is a Risk Analisys. I am not a aware of a set of questions. But I know 2 methods
1. Easy method. You identify application criticality based on impact (Information Sensitivity - Confidential, public, etc) and Likelyhood (exposure to audience - Intranet, internet, etc.), then create a small matrix like the one at this link
http://www.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology#Determining_Severity and map every resultant risk level to a level on ASVS. Thus Critical should be in compliance with Level 4, High => Level3, Med => Level2 and Low => Level 1
2. Harder (and more accurate). You do a Data Flow Diagram (First Step on Threat Modeling methodology) of the application and identify the application criticality then again map that criticality to a level on ASVS. Doing a DFD requires much more effort and knowledge of the application, though.
Hope it helps.
Regards,
Juan Carlos