Abstract: In order to realize a standard and accurate security evaluation on the information system, this paper establishes an evaluation reasoning model based on information system security assurance evaluation framework. It integrates the security level, evaluation rule and evaluation evidence into the present model. The concept of testing cases in software testing theory is utilized to form the evaluation cases. Security indexes are discriminated into three different types, and evaluation regulations are presented for the three different types, respectively. Finally, the realization of this model is given. The analysis on the actual examples shows that the proposed model may improve the standard level of security evaluation and decrease the subjective affects of experts.