Information security is a main concern in many fields of computer and information technologies, from software development, or network systems, to new or emerging technologies such as mobile, cloud computing, or social computing. Existing security standards and models usually focus on "what" has to be done about security, but they do not propose "how" to deal with the inherent complexity of assuring modern software systems or network infrastructures. Application of current security standards usually produce large check lists describing security countermeasures, but they lack a structured, in-depth and consistent process to define the information security requirements at different granularity levels of the system. As a consequence, security deployments may miss important security controls. We propose the Infosec-tree Model, a novel methodology with a hierarchical approach to guide that comprehensive assurance process for a computer or network system. Real use cases are presented, by applying our methodology to assure a private cloud being developed at the Universidad de Costa Rica (UCR).