Telecom operating companies are faced with amount of information security risks. However, they are lack of awareness and systematical methods of managing information security risk. There is also little mature experience as reference. In order to solve the problem of management method, information security risk management system are studied. Through literature research and the present situation investigation, three main information security risks of present stage for telecom operators were analyzed; according to the theory of risk management, together with complex and changing risks, PDCA cycle was considered to be suitable for telecom operators of China. And information security risk management system based on PDCA cycle for telecom enterprises was built. At last, implementation principles and methods of each module for the process of system construction were studied. It provides theoretical foundation for information security risk management work systematically.