With the coming of the information era, cyberspace has become the fifth dimensional strategic space following land, sea, sky and outer space. Moreover, it has resulted in another international competition. While people are enjoying the great benefit from information and information system, they have faced the challenge of information security as well. Establishing Information Security Management System (ISMS) via standards has become one of the information security policies in our country. The conclusion that risk management is the top priority in establishing ISMS has been reached. However, ISMS policies seem to lack risk management, and so do the organizations that get the certification of ISMS. Therefore, this paper focuses on investigating the necessity of ISMS policies, elaborating the importance of ISMS policies while establishing ISMS case by case, and providing the frameworks as well as approaches that integrate ISMS with information security governance.