Based on the information system security assurance evaluation framework (GB/T20274)，the information system security assurance model and evaluation index system are introduced, and the formalization evaluation method and flow are presented. An information security evaluation model is proposed by applying rough set (RS) and unascertained measure (UM) theory. At the criterion pre process period, rough set theory is used to obtain the key evaluation indexes and construct the reduced index set to simplify the original complex index system. At the evaluation period, unascertained measure model is adopted to analyze the evaluation data to implement a quantitative integration evaluation on the information system security assurance ability.