This study surveyed 288 organisations to explore the relationship between information technology (IT) capabilities and information security management (ISM). A review of the literature helped to not only identify the important factors of IT capabilities and ISM implementation, but also formulate a research framework. Both IT capabilities and ISM implementation were subsequently empirically measured to study how IT practice influenced the organisational implementation of ISM principles. SPSS and LISREL were used to analyse the collected data and validate the proposed framework. Subsequently, the study's hypotheses were examined via path analyses and the analytical results revealed that IT capabilities were significantly associated with the effectiveness of ISM. The validated model and the corresponding study results can provide a reference for enterprise managers and decision makers to develop favourable tactics for achieving their goal of ISM – mitigating information security risks.