Information system (IS) incidents, such as hacking, denial-of-service, and viruses are on the rise. With low manning and under-trained information security specialists it is difficult for organizations to stop IS incidents from occurring. Once an incident has occurred it is the IS manager's responsibility to ensure that a full and accurate damage assessment has been accomplished. However, most IS managers lack the necessary tools to assess the damage from an incident. This exploratory thesis developed an IS incident damage assessment model (DAM) that can be part of the IS manager's tool kit. During the development of the model, it became apparent that everything in the model was supported by a foundation of business processes. Therefore, the most important thing an IS manager can do is define their organization's business processes and how they relate to information systems. The model is based on eight primary factors that should be considered during the assessment process:· Recovery· Education/Training· Business Expenses· Productivity· Data· Lost Revenue· Reputation· Human Life Each factor is then further expanded into sub-factors that better define and explain the primary factors. These sub-factors can be directly mapped to business processes previously defined by the information system manager. The final product is an IS incident DAM tailored to the needs of the IS manager's organization.