Based on "ISO27001/BS7799 information security management standards" and "The norms of Information and Communication Security Management in Educational Systems", this study was conducted by selecting appropriate control items and emailing questionnaires to survey the current status of implementing information and communication security management in domestic universities and colleges. This indirectly facilitates the request of "The norms of Information and Communication Security Management in Educational Systems" by Ministry of Education, and prompts surveyed universities and colleges to review themselves with the questionnaires of this study. Hopefully the review discussion will provide schools and Ministry of Education a helpful reference for building a security management system. Furthermore, the demand and reason of information security were discussed in this study. From the viewpoint of risk management, a model of risk assessment for information security was established. According to the analysis result of questionnaires, it produced a set of priorities concerning information security as well as suggestions for proper responses. It also helped identify potential problems of information security within organization. Thus, the model put forward by this study is able to raise information security consciousness among organization members and contribute to better information security.