With the popularity and rapid development of information technology, information security has become a critical issue. Many organizations have been establishing their information security management strategies to protect security of their data. However, past research has not established automatic mechanisms to objectively reflect the actual risks. This study proposes an automatic risk evaluation process based on 〞Information Security Management System〞 framework. The process compares the input event against the past risk warning records. This automatic method can accurately identify the threat and vulnerability of the current event, and then compute the quantitative figures of the associated risk. A case study of a Recording Center in a large enterprise is conducted. The advantage of automation in Information Security Management System is that the automation is objective, systematic, and repeatable. Moreover, it may detect hidden problems which cannot be easily recognized by humans. Thus, our method can improve the quality of information security management.