The paper introduces a novel proposal of a security management system destined primarily for application in the field of IT. Its core is formed by a triplet of cooperating knowledge-based (expert) systems, the knowledge bases of which consist of vague If-Then rules. The knowledge bases were created by experts on the problem domain and multiple times tested and verified on actual scenarios and real systems. With the system, a comprehensive methodology that is a part of a more complex approach to a decision making process is introduced. The proposed fuzzy tool is demonstrated on examples and problems from the area of information security. The paper also briefly reviews other used approaches to information security management - mainly qualitative and quantitative methodologies.