Abstract: Information security related to information assets is a critical aspect that must maintain by PT Angkasa Pura 1 (Persero) Surabaya, which handles the airport business sector includes services such as baggage control, aerodrome, and airport facilities. Information security systems that unwell manage can pose problems related to confidentiality, integrity, and availability.

This study aims to improve security information systems thru risk assessment using the OCTAVE method to find the highest impact when the risk occurs and prioritization those risks. The objective and security controls build based on using ISO/IEC 27001:2013.

The results of this study are the document of objective and security control, risk management documents, standard operational procedure (SOP) documents. The risk management documents related to information security, including risk assessment, risk identification, risk analysis, and evaluation at PT Angkasa Pura 1 (Persero) Surabaya.  Standard Operational Procedure (SOP) documents include policy documents, work instructions, and work records that align with the selection of objective controls and security controls from risk management.

Keywords: ISO27001, OCTAVE, Standard Operational Procedure