Information security is needed for decreasing the misuse of information system while the development of information system makes a convenient world which is called information society. As the first step for information security, there should be a will, regulation, and policy as so on and an organization which performs theses. In our study, the result of survey to information security managers can be summarized in three groups as follows. The first group seems to be weak in policy aspects although there is a superiority in security and organization aspect. The second group seems to have little reliability of subsidiary company although there is a superiority in policy and organization aspects. The third group seems to have a strong concern of top manager and a strong reliability of subsidiary company although it is not superior in policy and organization aspect. It was analyzed for 5 giant family trust to study information system security and organization which is proper to business environment in Korea. The result of analysis is as follows. There is a basic policy for information security. However, it is outdated and not realistic now a days. Security audit and security education are needed more in general. It is needed to use security tool actively. New technology which is related to information security is more concerned such as digital signature and biological application technique as so on. Security is low in companies without an independent information security organization. It is necessary to build information security team. In many case, the person is a few in relative to size of organization although there is a information security team in company. It is also important to check if the team has the ability of perform information security job. In result of interviewing many security managers in company, I strongly believe that the Total Security Management which is integrated by Physical Security and Computer Security is needed. I think that an information center may play a role of performing information security. The interview is not sufficient in two aspects. One is lack of sufficient number and the other is that the reliability of survey don't be proven because most interviewees are not willing to uncover their security system. The study related to information security management for each industry may be performed in future. It was not included in this study because of the lack of data about information security management for each industry. And the case study about small and medium enterprise can be perform, too.