Once again, when entering the information age, digital space has aroused international competition in the fifth domain after land, navy, air force and aerospace. While enjoying the huge benefits provided by information and information systems, people also face severe challenges in terms of information security. The standard compliant information security management system (ISMS) has become a national information security policy, and risk management is already a consensus for the core task of establishing an ISMS. However, ISMS policy lacks a connection to the strategic risk management of organizations, which is normal for organizations which have passed ISMS certification. This study explores the nature of ISMS policy and describes the relationship of such a policy when establishing an ISMS by means of a case study. Besides, we also propose a method to integrate the ISMS with information security governance (ISG).