With the rapid advancement of information technology, organizations put dependence on it more than ever. Especially in the era of electronic commerce, users of a certain organization's Internet system broaden from members inside to unknown individuals outside. Many organizations are facing unprecedented security challenges. Therefore, information security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper, through literature review and practical observations, attempts to summarize and integrate five existing theories: security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory to build a comprehensive theory of information security management (ISM). It suggests that an Integrated System Theory (IST) is useful for understanding information security management, explaining information security management strategies, and predicting possible outcomes while applying those strategies. This theory may lay a solid theoretical foundation for further empirical researches and applications.