The rapid development of information technology and the popularity of the Internet have made the information security become a company or enterprise’s more and more serious challenges. The Information security is not only a risk that threat full of uncertainty for the operation of enterprise organizations, but also a key concern which cannot be avoided or ignored. Many new forms or new types of digital crime and privacy protection issues gradually emerged which require a clear and pragmatic security strategy in response. The main purpose of this study is to explore domestic and foreign related information security strategic and planning literatures, with the researcher's many years of information security implementation and practice experience to try to propose an “Information Security Strategy Planning” model in the application field. And use the case A company as an example to verify the suitability and feasibility when establish information security strategy planning model and processes flow. Through the case study, where discussed how the A Company is facing the challenges of many complex security issues, and how to follow the reference to the information security strategy planning establish process proposed in this research process framework. The planning and development of the security strategy, which integrates three important elements of the organization proposed by the researcher, which including “People”, “Process” and “Technology”. Based on the “current risk analysis” model (TW-PPT), which is further proposed by the researcher, where identify the most important key security issues and exact needs for the company. At the same time, under the condition that its enterprise resources and capabilities are limited, the “Development Strategy Planning” model (O-PPT) proposed by the researcher is used to plan and develop suitable and feasible enterprise security strategies and action plans. The degree of harm of information security threats today is above the development of technology applications. Organizations must have the means to plan appropriate information security strategies to cope with them in order to ensure the normal operation and development of daily operations. But so far, only few people have actually conducted any real discussion or research in this area, especially the literature and empirical research methods of the strategic planning of the information security. Therefore, the research and results of this study will serve as a reference for the academic and follow-up research and practice community in the strategic planning of security.