Information system security is vitally important to the national defense. In recent years, the military departments did their utmost to advance the information security management system (ISMS). It is a method to systematic analyze and manage the risk of the information security system. The aim of the ISMS is to lower down the risk to an acceptable level through controlling. Therefore, the most important core task of the information security is risk management. Many military departments passed the ISO 27001 certification, but the information security events still occurred frequently because the risk assessment didn’t do well. The related units didn’t want to invest too many resources to do the risk management program. They assessed the risk according to the subjective judgments and reference regulations. Consequently, the risk evaluation was done loosely and many high-risk assets were be underestimated. It is important to invest the limited resources to deal the key risk. The aim of the paper was to develop the risk assessment criteria for ISMS of the military. According to the experts’ opinions and references, the framework including 7 dimensions and 54 items was established. Through the fuzzy AHP, the experts’ judgments would be collected and analyzed. The results could be applied to every military department to prompt execute the risk assessment. Consequently, the unit can control and reduce the high-risk threats with the limited resources.