The issue of information security management (ISM) had been widely studied with different approaches and from different perspectives. To have the right security objectives is the primary step to achieving an effective security program. Based on the contingency theory, a conceptual model of factors that determine ISM objectives was proposed. To validate this model, a webbased survey with open-ended question was conducted. The responses from 120 certified information security practitioners were categorized and analyzed. The paper contributes to theory as it extends previous studies applying the technological, organizational and environmental framework to include factors that impact ISM. Further, it contributes to practice as it increases the awareness and importance of ISM.