This paper adopts a balanced scorecard (BSC) approach to evaluate corporate information security level. Numerous methodologies have been introduced in information security evaluation over last two decades. Each of those methodologies addresses various issues in the aspects of products, individuals, businesses, and nations such as security capability test guidelines for security products, information security level evaluation criteria for public organizations, information security management standard for businesses, etc. But, inconsistencies and redundancies between methodologies have hindered the wide spread use of evaluation methodologies, especially in Korea. As the first trial to establish systematic evaluation criteria, this paper presents a corporate information security evaluation methodology using a balanced scorecard. In addition, a security maturity model to classify the security level of businesses is presented.