Nowadays, companies seek to protect their information because it is a very valuable asset. In order to protect it, it is necessary to manage the risks, which will prevent scenarios that generate a negative impact such as significant financial losses, violation of the confidentiality of sensitive information, loss of integrity, or the availability of confidential information. Organizations such as SMEs do not implement risk management models because they do not care about allocating a budget for information security. There are different approaches that are used to manage the risks, but, in general, these focus on big companies. However, those that target SMEs have a qualitative approach. This paper presents a suitable risk management model, based on the OCTAVE-S methodology and the standard ISO/IEC 27005, it consists of the 3 phases of OCTAVE to which is added the list of vulnerabilities ...