The chief information security officer's (CISO) role is fraught with many challenges, including more sophisticated adversaries, a larger attack surface, increasing regulation, and customer demands. Stretched in so many directions, the CISO can easily neglect the fundamental processes by which the security team identifies, evaluates, and treats security risks. This report describes how to use an information security management system (ISMS) to drive risk ownership, continual improvement, and deep business engagement. This is an update of a previously published report; Forrester reviews and updates it periodically for continued relevance and accuracy.