The tutorial introduces the concept of information security (IS) risk and defines the IS risk management process and system. Components of IS risk management process are considered in detail, namely: establishment of IS risk management context with definition of basic decision-making criteria, scope and boundaries of IS risk management; IS risk assessment, consisting of two stages - analysis (with identification of assets, IS threats, existing controls, vulnerabilities and consequences) and assessment (with determination of consequences, probabilities and quantitative risk assessment) of IS risks; IS risk processing, including reduction, preservation, avoidance and transfer; acceptance of IS risk; IS risk communication; monitoring and revision of information security risks. Different approaches to the analysis (basic, informal, detailed, combined) and assessment (high-level and detailed) of information security risks are also compared. The conclusion briefly describes the documentation and tools for information security risk management.