Despite a continued scholarly conversation on Information Systems Security (ISsec) policies and gov-ernance, a perspective that examines these issues at the organisational level has been generally ne-glected. This is of concern as managing ISsec is multi-level in nature for many organisations ranging from the individual level, such as BYOD (Bring Your Own Device) policies, to the strategic level, such as the use of Chief Security Officers (CSOs). This deficiency is also evident for virtual banks as a type of IS (Information System)-led organisation that develop flexible policies due to changing internal and external security environments. In order to focus on the multi-level and flexible nature of ISsec policies of virtual banks, we borrow key concepts from the organisational network perspective to map organisation structure changes through ISsec development phases and shifting meta-policies. The goal of this paper is to develop the theoretical framework and conceptual model needed to examine the multi-level and flexible nature of organisational ISsec policies of virtual banks. We start with build-ing on relevant literature on ISsec meta-policy characteristics and then integrate network concepts from the ARA (actor, resource, activity) framework to map the changing ISsec policies at the individual, meso, and meta-organisational level.