Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

Information security management has become an increasingly important part of modern organizations as it helps secure large databases often found within large organizations. These databases often store sensitive information, such as personal identifiers and financial records. A breach in these databases can ruin a company's reputation or put millions of people's information at risk. For this reason, information security management is often discussed alongside cybersecurity practices, many of which are directly correlated or directly used in Information Security Management Systems (ISMS).

Managing information security in essence means managing and mitigating the various threats and vulnerabilities to assets, while at the same time balancing the management effort expended on potential threats and vulnerabilities by gauging the probability of them actually occurring. These ideas can be summarized into the Protection Motivation Theory, or PMT. The PMT "seeks to explain why individuals adopt or engage in protective behavior." There are two main mechanisms of the PMT: threat appraisals and coping appraisals. Threat appraisals refer to how people perceive the severity of a threat and their vulnerability to a threat. A meteorite crashing into a server room is certainly a threat, for example, but an information security officer will likely put little effort into preparing for such a threat. Just as people don't have to start preparing for the end of the world just because of the existence of a global seed bank.

The second half of the PMT is coping appraisals. This refers to self-efficacy and response efficacy. Self-efficacy is someone's perceived confidence in their ability to complete a task. Response efficacy refers to someone's belief in a protective action's effectiveness. Coping appraisals also include response costs, or any possible expenditures potentially required of someone to follow through with a protective action, such as money, time, or effort. In order for the PMT to be successful, a person must have a strong sense of self-efficacy and response efficacy with the task at hand, along with a low perception of reward costs (which can also be influenced by self-efficacy).

After appropriate asset identification and valuation have occurred, risk management and mitigation of risks to those assets involves the analysis of the following issues:

Once a threat and/or vulnerability has been identified and assessed as having a high threat appraisal on information assets, a mitigation plan can be enacted. The mitigation method is chosen largely depends on which of the seven information technology (IT) domains the threat and/or vulnerability resides in. The threat of user apathy toward security policies (the user domain) will require a much different mitigation plan than the one used to limit the threat of unauthorized probing and scanning of a network (the LAN-to-WAN domain).

Some of the most common reasons organizations may struggle implementing risk management protocol are:

In order for a mitigation strategy to be effective, both the technological and user side of the strategy must be functioning with minimal errors.^{[citation needed]}