Information security is considered as an important facet of IT management in the energy industry, which ranks as the top five targets of cyber-attacks around the world, including in Indonesia. In this case-study action research, we unrevealed the way an organization in the oil and gas industry improve its information security management up to par to that of ISO 27001:2013. Data was gathered by means of a series of FGDs in which the researchers were actively involved as a team member. This research clarified the steps undertook, from the generation of risk registers, its mitigation, and the development of SOA. Furthermore, a gap analysis of the organization's current condition compared with the standards of ISO 27001:2013 was analyzed. Finally, a set of recommendations was offered to improve the organization's information security management in order to meet to standards of ISO27001:2013.