Risk assessment is a major part of the ISMS process. In a complex organization which involves a lot of assets,
risk assessment is a complicated process. In this paper, we present a practical model for information security risk
assessment. This model is based on multi-criteria decision-making and uses fuzzy logic. The fuzzy logic is an appropriate
model to assess risks and represents the practical results. The proposed risk assessment is a qualitative approach according
to ISO/IEC 27005 standard. Main objectives and processes of business have been considered in this model and assessment
of risk has been done in managerial and operational levels. This model was performed completely in the information
technology section of a supply chain management company and the results show its efficiency and reliability.