This thesis, conducted by Yimei Lin at Lahti University of Applied Sciences, focuses on IT risk management in a business that relies heavily on information systems. The primary objective is to identify and prioritize the most significant IT risks faced by the company. The study employs a deductive research methodology, combining qualitative methods such as interviews and observations to gather data. The literature review covers IT risk overview, risk management, IT risk identification, risk assessment, and risk countermeasures. The case study involves a detailed analysis of the company's IT risks, including physical and non-physical threats, asset impact, business impact, and vulnerability assessments. The findings reveal that inadequate anti-virus software protection is the biggest threat, and the lack of attention to this issue could lead to more severe consequences in the future. The thesis concludes with recommendations for risk reduction and improved IT security practices.This thesis, conducted by Yimei Lin at Lahti University of Applied Sciences, focuses on IT risk management in a business that relies heavily on information systems. The primary objective is to identify and prioritize the most significant IT risks faced by the company. The study employs a deductive research methodology, combining qualitative methods such as interviews and observations to gather data. The literature review covers IT risk overview, risk management, IT risk identification, risk assessment, and risk countermeasures. The case study involves a detailed analysis of the company's IT risks, including physical and non-physical threats, asset impact, business impact, and vulnerability assessments. The findings reveal that inadequate anti-virus software protection is the biggest threat, and the lack of attention to this issue could lead to more severe consequences in the future. The thesis concludes with recommendations for risk reduction and improved IT security practices.