This research takes the method of case study to compare two SME retailers which are similar industries. According to the standards which is contained 11 administrative domains, 39 control objects, and 133 control points bulletined by ISO 27001, an information security checklist is made by 60 control measure assessments that the unrelated controlled items of businesses, laws and regulations are excluded. This checklist is to investigate, analyze and evaluate the enterprises' present problems and information security incident management to let the proprietors to realize how to promote the information security level. During the research process, the research proposes the solutions to improve the controls to process the diagnostic service of information security; and then to compare the results of before and after implementation to propose the suggestions for the future institution of business, the enhancement of information security personnel and the improved structure of future information security system. Finally, for the case, two retail companies, the research will be directed to the concept and implementation of information security and then to analyze the achievement rate of each control measure of information security.