As companies become more dependent upon information systems(IS), the potential losses of IS resources become critical. IS management must assume the increasing responsibility for protection of IS resources as the IS and business environments become more vulnerable to various threats. The major issues facing management, when attempting to manage risks, include the assessment of the impact of risks on business objectives and the design of security safeguards to reduce the unacceptable risks to an acceptable level. This paper provides a case study of the risk management for IS. A Korean credit card company which has the high sensitivity for customers security was selected as a case. The risk management procedure using a powerful tool, CRAMM(the Central Computer and Telecommunications Agencys Risk Analysis and Management Method) was applied for this company.