Gunnar Peterson published a few days ago what he called "Security Architecture Blueprint". It is a blueprint of the Security Services needed to deploy a security architecture, from processes to technologies. Together with P-CSO from Mike Rothman I believe it's one of the best support materials to a CSO to use when developing a Security Plan. P-CSO will enable you to create a roadmap on a business perspective, while the blueprint from Peterson will cover all aspects on the technical side. I was happy to see that the plan that I developed a few months ago is quite aligned to it.

The Blueprint is designed in a somewhat layered approach, what really makes sense when you are trying to map high level risk management goals to processes, procedures and technology controls. The blueprint enables you to build an effective Information Security Management System without all that burden from ISO17799/27001, but in a way that you can use all the processes and tools developed to pass through a certification process on that standard, if needed.

The document is also very rich on information about security metrics, including a very good sample of an Enterprise Security Dashboard. I recommend Peterson's blueprint for all CSOs developing a security strategy and for consultants that are trying to build a comprehensive product and services portfolio.