Information is one of the most valuable assets for the survival of an organization (company), government institution, and college. Information security aims to maintain the confidentiality, necessity and availability of information. As a fulfillment of the need for information on XYZ, Ltd that does not yet have guidelines relating to the information security process, as well as a lack of understanding of the risks of information loss and how to control information security risks. In this paper, risk management planning is implemented using ISO/IEC27001: 2009 framework for security of information system assets at XYZ, Ltd. Stages in the design process of the Information Security Management System (ISMS) include the determination of scope, risk analysis and the determination of control objects and security control. The results of this study are a security policy document, risk assessment, and ISMS procedures which will become a reference in the research and will facilitate the next stage of research.