Nowadays, information systems is an important point in supporting business strategies including in education division. Critical assets related to information systems are very susceptible to threats that can exploit and damage assets until they lead to disruption of business processes and even lead to financial losses. PT. Autocomp Systems Indonesia (PASI) has implemented Information Security Management System (ISMS) based on ISO / IEC 27001 to define a set of risk management strategies. However, some threats still occur and make the organization to get losses. The organization needs to conduct an evaluation of risk management that has been implemented to determine whether the risk protection strategy is adequate. Evaluation is done by comparing the current condition with the expected ideal condition using Catalogue of Practices from OCTAVE. The gaps found and then the risk assessment of the related assets is carried out. The results of this study indicate that the level of risk management maturity obtained by the organization is 89.40 %. The biggest gap is found in the contingency plan/disaster recovery plan and vulnerability management. Then a mitigation plan is proposed from the results of the risk assessment using the OCTAVE Allegro approach so the risk can be controlled properly.