Organizations are becoming more aware of the importance of IT risk management and its corresponding due diligence requirements.Optimizing risk to information is a core function of most ICT departments, both to protect the enterprise as well as to satisfy government and industry mandates.IT risk management is the discipline that on assessing, mitigating, monitoring and optimizing risks to information communication and related technologies. An abundance of IT risk management approaches exist that can assist organizations in determining and controlling IT risks. However, gaps have been uncovered in existing IT risk management methodologies. This thesis aim to implement an IT risk management framework that best suits KRA's current operating environment.To achieve the objectives of this research, a descriptive research design was employed. The research began with analysis of available IT risk management framework so as to glean the strengths and weaknesses of each.The risks that KRA's IT infrastructure assets were exposed to and the current state of IT risk management activities at KRA were then established. The research culminated in the development and validation of an IT risk management framework to address these IT risk management needs of the Kenya Revenue Authority.The proposed model was envisaged to lead to a better alignment of IT risk management activities with business objectives and Enterprise-Wide risk management activities.