1- Risk Management Guide for IT Systems - NIST
2- Managing Risk and Information Security - (Protect to Enable)