In recent years, information security has attracted more attention from the enterprises. However, the enterprises encounter a lot avoidable problems caused by poor planning on the management systems during the implementation and validation processes. In this research, two process areas, configuration management and risk management, of CMMI are applied to construct an information security management model. According to the system requirements and related references, the simulation software is constructed to implement the processes in planning, doing, checking, and acting sequence. In the results of the study case, there are two findings as follows: (1) Quantifying the security and risk of information asset, clearer objective and direction of management can be found; (2) Applying configuration management model, management and communication will be easier.