IntroductionThe purpose of risk management is to protect an organization's valuable information, hardware, and software assets. The purpose of the risk management process is to identify and manage risks such that a company is able to achieve its strategic and financial objectives. Risk management is a continuous process through which key risks are identified, listed and assessed, key individuals responsible for risk management are appointed and risks are prioritized according to a rating scale in order to compare the effects and the mutual significance of risks. It is very important that organizations and businesses are well prepared to see what kind of risks we are facing or that the business could suffer in the event of a major disaster. 1.1 Purpose This report aims to explain how risk control is achieved through strategies and through information security management. 1.2 Objectives Describe how information assets are identified as exposed to risk and how risk is identified and assessed. The objectives are to adopt control measures to reduce specific vulnerabilities. Defining control objectives is the first step in deriving the corresponding control requirements to mitigate the risk associated with the vulnerability.1.3 Definitions, acronyms and abbreviations"Risk management is the part of the analysis phase that identifies vulnerabilities in the information system of an organization and carefully considers measures to ensure the confidentiality, integrity, and availability of all components of the organization's information system" (Information Security Management - Second Edition, Michael E. Whitman and Herbert J. Mattord) Risk is the potential loss resulting from the balance between threat, vulnerability, countermeasures and value. ...... middle of paper ...... 4th ed. - M. Whitman - Cengage pag. 158)2.1 General categories of control There are three categories of control: policies, programs and technical control. Controls can be classified as: • Directive • Preventive • Detective • Reactive 2.2 Risk Control Strategies Avoidance means eliminating or reducing remaining uncontrolled risks to the vulnerability, attempts to prevent exploitation of the vulnerability. Transfer means attempts to shift risk to other resources, other processes, or other organizations. Mitigation aims to reduce, through planning and preparation, the damage caused by the exploitation of vulnerability, it aims to reduce the impact. Mitigation depends on the ability to detect and respond to an attack as quickly as possible. Acceptance involves understanding the consequences and accepting the risk without control or mitigation.