In the digital era, businesses must manage both opportunities and risks effectively. E-commerce XYZ, an e- procurement provider, faces information security challenges due to the lack of a formal risk management framework. This study applies ISO/IEC 31000:2018 to design a strategy for identifying, evaluating, and mitigating risks. Data were collected through interviews and questionnaires with the Head of Services and Infrastructure Department. Key risks include irregular log reviews, multiple tabs in the CMS, and limited log history. Medium-level risks involve infrastructure disruptions (e.g., fires, earthquakes) and weaknesses in access management, such as poor password policies. Low-level risks include phishing, malware, and insufficient security training for non-technical staff. Recommendations focus on improving access control, log management, backups, and implementing regular security training. These measures aim to enhance e-commerce XYZ's risk management, ensuring operational resilience and building stakeholder trust.