In this paper, we propose a risk management model of information security for Peruvian SMEs, taking as reference the OCTAVE-S methodology and the ISO / IEC 27005 standard. The model consists of the 3 phases of OCTAVE-S (Construction of the threats profile, Identification of infrastructure vulnerabilities, and Strategies and security plans). This model contains the contemplated lists of ISO / IEC 27005, it also contains the calculation and the risk treatment of this standard. Likewise, the model adopts a quantitative approach that allows calculating the residual risk, for example, the most critical asset identified obtained 216 of risk value and the residual risk obtained was 109 of risk value, this is obtained on the basis of the effectiveness of the controls that are part of the proposed model, for example, formalize procedures and policies and their occasional review. This model provides guidelines for information security risks for companies. It was implemented in the sales process of a Peruvian SME of the ceramic sector, proving to be easy to use and it was possible to identify the necessary controls to reduce the risk, whose implementation reduces the risk by 53%.