Security management of information system is one of the important contents of system engineering management, especially the security risk assessment, which places the core center of system engineering. Through risk assessment of an information system can help analyze system safety and find out the potential risk. Build risk model of information safety can provide necessary guidance for security strategy design and the implementation. This article researches the assessment model and method of information security risk.