Organisations from the multinational Organisation for Economic Cooperation and Development through to national initiatives such as the UK's Cabinet Office, have recognised that risk - the realisation of undesirable outcomes - needs a firm framework of policy and action for mitigation. Many standards have been set that implicitly or explicitly expect to manage risk in information systems, so creating a framework of such standards would steer outcomes to desirable results.This study applies a mixed methodology of desk enquiries, surveys, and action research to investigate how the command and control of information systems may be regulated by the fusion and fission of tacit knowledge in standards comprising the experience and inductive reasoning of experts. Information system user organisations from the membership of The National Computing Centre provided the working environment in which the research was conducted in real time. The research shows how a taxonomy of risks can be selected, and how a validated catalogue of standards which describe the mitigation of those risks can be assembled taking the quality of fit and expertise required to apply the standards into account. The work bridges a gap in the field by deriving a measure of organisational risk appetite with respect to information systems and the risk attitude of individuals, and linking them to a course of action - through the application of standards - to regulate the performance of information systems within a defined tolerance. The construct of a methodology to learn about a framework of ideas has become an integral part of the methodology itself with the standards forming the framework and providing direction of its application.The projects that comprise the research components have not proven the causal link between standards and the removal of risk, leaving this ripe for a narrowly scoped, future investigation. The thesis discusses the awareness of risk and the propensity for its management, developing this into the definition of a framework of standards to mitigate known risks in information systems with a new classification scheme that cross-references the efficacy of a standard with the expertise expected from those who apply it. The thesis extends this to the idea that the framework can be scaled to the views of stakeholders, used to detect human vulnerabilities in information systems, and developed to absorb the lessons learnt from emergent risk. The research has clarified the investigation of the security culture in the thrall of an information system and brought the application of technical and management standards closer to overcoming the social and psychological barriers that practitioners and researchers must overcome.