The country's vital objects that provide data and information are vulnerable to threats. Information in the form of valuable assets needs to be protected from threats and vulnerabilities. Data and information must be guaranteed confidentiality, integrity, authenticity, and availability. Data and Information Center of Ministry of Defence, better known as Pusdatin Kemhan. Business processes owned by this organization are very complex. Pusdatin Kemhan requires strengthening in managing information security because the assets carried are important and high-value assets that are needed by leaders who assist in making decisions to support national defense and security. The implementation of information security and the existence of risk management are still not well managed. This study will provide an information security management design method based on risk management based on ISO / IEC 27005: 2018. The results of this study are the information security management policy at the Center for Data Processing and Information Technology.