Due to lifting of regulations in financial laws and market opening policies within recent years, the domestic banks face intensifying competition from foreign banks. They have expanded operation scales to cope with such business impact. In 2002, since Taiwan joined the World Trade Organization (WTO), domestic banks have been permitted to set up branches in WTO’s member countries based on the reciprocity treaty. For the first time, expanding their business worldwide became one of the feasible options to most of the domestic banks. In becoming internationalized, their operations and number of personnel have been tremendously increasing. That brings up the important security issues of cross-border information processing/transmission as well as inter-country regulatory security compliances. In order to gain the trust of information protection to the bank’s customers, 13 Taiwanese banks have earned ISO/IEC 27001:2005 ISMS certification. Nevertheless, instead of the approach of earning the certifications, major foreign banks have developed their own information security management systems (ISMS) and have customized it to meet their business requirements. As far as we know, most previous studies about information security on the financial sector were related to regional or domestic banks and focused on the implementation of ISO/IEC 27001 ISMS standard. The ISMS frameworks of the major international banks have not been studied. Therefore we would like to explore the ISMS framework of a major foreign bank and compare the bank’s practice with ISO/IEC 27001:2005 standard to address the gaps between them. In this study, through questionnaires and in-depth analysis of interviews, we found that A Bank’s security measurements are largely focus on the secure system development lifecycle (SSDLC) aspects such as system security requirements, design, development, testing and maintenance. In ISMS implementations, the bank emphasized the active internal/external risk management, deepened IT system security assessment, simplified assets classification, and strengthened the independence and breadth of information security organization.