With increasing dependence on information technology and information system, enterprises are confronting with a more and more complicated information security environment. Thus, information security has become an intractable problem for many enterprises. Generally speaking, there are two methods to improve enterprises’ information security level, that is, technology and management means. Technology means mainly settle software and hardware security of computers and networks, while management means mainly regulate and restrain the entire enterprise system including software, hardware, and employees. At present, a lot of enterprises mostly employ the technology means to solve information security problems. However, the lack or imperfection of information security institutions leads to bad enterprise information security situation. Therefore, technology and management means to solve information security are complementary to each other. As such, it is urgent and necessary to establish and improve information security institutions for many enterprises. 　　In fact, enterprise information security is a complicated activity which needs different sectors to get involved in. More specifically, the information security departments play the very critical role in the implementation of information security institutions, and all employees should comply with the information security policy. Therefore, only the top management teams have the ability to coordinate the relationship between different departments, determine the introduction of information technology, and deploy the information systems. In response, top management support has an important impact on the construct of information security institutions and the effectiveness of information security management. So far, few studies have investigated the mechanism that how top management support affects information security legitimation, and legitimation information security management. Therefore, it has great theoretical and practical significance to the exploration of whether the legitimation supported by top management can improve the effectiveness of information security management.　　The objective of the current study is to explore whether legitimation prompted by top management team can improve the effectiveness of enterprise information security management. By doing so, the data was collected from the enterprises which have passed the certification of information security management system, and analyzed by using PLS-SEM. The results indicate that information security awareness can improve top management support（including top management belief and top management participation）and the effectiveness of information security management respectively. In addition, top management belief can improve implementation（the first stage of legitimation）and internalization（the second stage of legitimation）. Moreover, implementation can improve the effectiveness of information security management. This paper analyzes the way to enhance effectiveness of information security management, which has a reality-oriented meaning for prompting information security management of enterprises from the standpoint of institution.