PurposeThe purpose of this paper is to examine the basis factors involved in the information security management systems of Malaysian public service (MPS) organizations. Therefore, it proposes an empirical analysis which was conducted to identify the antecedents of the information security maturity (ISM) of an organization; and to clarify the relationship between ISM and the social and technical factors identified.Design/methodology/approachThis study uses quantitative approach, convenience sampling and the required data collected from 970 key players' managers in information security, in a total of 722 government agencies, through a self‐administrated survey. Research adopted the Wallace et al. process to develop and validate the study's instrument.FindingsThe paper provides empirical insights and reveals a number of underlying dimensions of social factors and one technical factor. The risk management was found to be the formal coping mechanism adopted in the MPS organizations and is the leading factor towards ISM. The social factors have the most influence on MPS organizations' ISM. Findings demonstrate that two independent variables, risk management and individual perception, discriminate between those organizations that have high and low ISM.Research limitations/implicationsThe research results may lack generalization; therefore, researchers are encouraged to test the proposed propositions further in a different context.Practical implicationsThe paper includes implications for the development of a powerful instrument in explaining the ISM. Moreover, it helps internal stakeholders of an organization to formulate a more appropriate policy or give a more effective focus on issues that are really relevant to MPS information security management.Originality/valueThis paper fulfils the identified need to explore determinants of information security maturity.