Today, information security reigns in absolutely all areas of human activity. Security breaches always have consequences, but depending on the structure, they can be invisible, or vice versa, stop the activities of an organization or even a country. The issue of ensuring information security of critical information infrastructure facilities has become the most discussed today. The state and its regulators to develop many regulatory legal documents that contain requirements for the system of protection of critical information infrastructure facilities of various levels of significance. However, no one has ever created a single technique that would show the real state of information security of a critical information infrastructure object. As a result, both the organization and regulators see only a general picture of the state of the defense system, which in turn creates many vulnerabilities that an attacker can use to carry out an attack. As a result of the attack on the object of critical information infrastructure, harm can be done not only to organizations, but also to people, the work processes of the entire state can be violated. That is why the issue of creating such a methodology becomes not only relevant, but also necessary both for the internal control of the organization itself and for automating the work of regulators during the next inspections. The methodology will show not only a high-quality assessment of the state of the protection system, but also show the possible vulnerabilities of the organization that need to be closed to improve the effectiveness of all protection.