The paper presents an analysis of the existing methods for assessing information security risks, their features, advantages and disadvantages, as well as determines the possibility of using such techniques for assessing information security risks in financial institutions. Criteria for comparing information security risk assessment methods have been formed, the advantages and disadvantages of the methods are described. It is shown that, despite the requirements of regulators for assessing information security risks, most of the regulatory documents deal with operational risks. The evaluation of information security risks of credit and financial institutions does not have sufficient regulation and formalization.The authors substantiate the necessity of developing a method for assessing information security risks for credit and financial organizations, taking into account the features of risk assessment inherent to the mentioned organizations. The paper considers the need to create lists of existing threats to the credit and financial sector and their linking to existing vulnerabilities to optimize the process of assessing information security risks. The development of a methodology for assessing information security risks will increase the degree of compliance of credit and financial institutions with the requirements of international, state and industry standards through an optimal set of protection measures and models for evaluating information security risks.