The paper deals with a problem of assessing the level of security of critical information infrastructure objects in the financial sector based on organizational structure and management factors in the context of internal audit. Standards do not allow flexible assessment of indicators characterizing information security requirements and propose to obtain expert assessments based on subjectively selected elements (documents, facts) related to certain requirements. The article considers a Bayesian approach to assessing the values of private indicators for all available characteristics of information security requirements, which allows obtaining them on a continuous scale. A corresponding model is presented that includes the calculation of private and generalized indicator values. It improves the approach to assessing the level of security of critical information infrastructure objects during internal audit, as defined by standards, from the point of view of assessing private indicator values on a continuous scale and taking into account the influence of the history of changes in the characteristics of information security requirements.

Keywords: information security, Bayesian approach, critical information infrastructure objects, indicators of compliance with information security requirements, level of protection of objects, model with probabilistic components