A primary task of information security in modern organisations is to ensure the safety of their information assets. The most effective method is to develop and implement an information security system (ISS) that is designed for a specific organisation and meets the organisation-specific requirements. Two methods for creating ISS are considered in the article – development of a complex ISS through systems analysis and the authors’ method for the development of organisational ISS. These methods consider different viewpoints on the system. An example is given with Information Security Viewpoint and related concepts such as “Incident,” “Breach,” “Vulnerability,” “Threats,” “Threat Sources,” and a “Threat Agent” with taking the human factor in account. As the behaviour of employees in relation to the adopted information security policy cannot be predicted, it is necessary to foresee some measures in the process of designing the system.