Risk management and controls for information systems (RMCIS) is commonly seen as a technical function used by experts in information technology, software engineers, or information systems programmers. . However, this task requires a much broader perspective that helps the learner have better comprehension of its meaning and the processes of organizational change that it requires. This article shows the results of a research process, approached from the perspective of soft systems thinking, to support RMCIS in organizations, showing the human activity system of the strategic management of information technology, the organizational changes necessary, and a description of the activities and methods proposed. © 2012 Universidad ICESI. Publicado por Elsevier Espana. All rights reserved. Gestao de riscos e controlos em sistemas de informacao: da aprendizagem a transformacao organizacional