This is a topic that has generated a great deal of traffic on the Linkedin “Governance, Risk and Compliance Management (GRC) site. If you are a member I recommend you read through the comments, if not you should consider joining. This is a cross post, slightly modified, of my answer to this question, so forgive the double traffic if you are a member.
I was shocked that no one had mentioned the size and financial ability of the company. So this addresses both small and large corporations with and without financial money allocated to security.
If the company is 300 people and has very little money then usually the starting point is convincing management why money needs to be directed towards an assessment versus actually doing something tangible. Therefore, obtaining management support through some shock and awe factor will help get buy in and then you can do a risk assessment. That assessment should provide a roadmap and serve as the strategic plan.
Now if the company is more mature and financially stable, I agree with several of the current comments, which stated some type of RA framework or COSO control framework. Anyway, the typical starting point is conducting some type of strategic risk assessment. Something reviews all of the organizations assets, the threats, and vulnerabilities. This assessment should help start the program by prioritizing based on risk each security effort. From this assessment one of action items, if it doesn’t already exist, should be to put in a control (ISMS) type framework in place.
Once the prioritized roadmap is created and a control structure is in place then these two items can be put into a baseline and measured over time. Also each control area can have individual metrics. As the risk management program grows the next step will be to build a project or application based risk approach in addition to the strategic risk assessment. This focus of this secondary assessment approach is to rapidly assess projects and determine the level of security review required at the project level. Some projects will require more based on their risk (i.e. type of data, etc.).