Abstract: In order to improve the comprehensive protection level of railway critical information infrastructure, this paper designed a risk management and control process based on the security protection requirements of critical information infrastructure, proposed information security risk management and control methods for critical information infrastructure from the perspectives of risk identification and analysis, technical security protection, management security protection, early warning and disposal, and provides risk report examples. The research results can provide reference for railway related units to carry out security protection work, and provide support for further improving the security protection work of key information infrastructure in China.