Risk analysis allows you to make the right decisions on managing the company and doing business. Risks associated with information security of information are one of the main ones and are considered in international standards of the ISO / IEC 27000 series, and, in particular, national standards of the Russian Federation of the GOST R ISO/IEC 27000 series. Two groups of methods are distinguished for calculating in-formation security risks. The first group includes methods to determine the level of risk using the level of compliance with the selected set of requirements. The second group is based on the calculation of the probability of the implementation of threats, as well as the level of damage from their implementation. In the calculation, statistical methods, expert judgment methods or elements of decision theory can be used. Statistical methods are based on the analysis of already existing incidents in the field of information security. Based on the events already recorded, the probability of the threat and the level of damage from its implementation is calculated. This paper gives an ex-ample of the automation of information security risk calculations using expert assessments.