I don't think bidirectional TLS is enough in many cases. Defense in depth is required. You need to ensure that when services access other services, they aren't granted wide open privileges because you (hopefully, still) own them.

I would add a reasonable authentication and authorization model to this list of prereqs.