Service Oriented Architectures (SOA) offer new opportunities for the interconnection of systems. However, for a company, opening its Information System to the world is not insignificant in terms of security. Whether to use available services or provide its own services, new technologies have introduced new vulnerabilities and therefore new risks. Our work aims to propose an approach for risk management which is based on the ISO/IEC 27005:2011 standard: we propose a development of this standard (by an extension of Annex D) so that it can fully take into account the type service as web services and cloud services. Indeed, a world of services is not limited to link interconnected systems, it is more a relationship between customer and supplier, where notions of trust, accountability, traceability and governance are developed. Following this study we introduce a new security criterion, controllability, to ensure that a company keeps control of its information even if it uses such outsourced services.