Information security management describes controls that an organization needs to implement to ensure that it is sensibly managing the risks of loss, misuse, disclosure or damage of information and information infrastructure assets.
The risks to these assets can be calculated by analysis the following issues:
Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets.
Vulnerabilities. How susceptible your assets are to attack
Impact. The magnitude of the potential loss or the seriousness of the event.