Organizations face information security (IS) incidents from external threats like hacking and ransomware and internal information exposure. This research posits that the legitimacy of security policies impacts organizational compliance, focusing on enhancing legitimacy through sanctions and susceptibility to normative influence. We formulated a research model and hypothesis through prior research, surveyed members of IS policy-operating organizations, and tested the hypothesis using 321 samples. The hypothesis test results indicated increased IS compliance intentions due to the heightened severity and certainty of IS sanctions facilitated by IS legitimacy. Furthermore, the amplification of compliance intentions was observed through the interaction of susceptibility to normative influences with legitimacy and sanctions factors. This study underscores the significance of securing legitimacy for an organization's IS policy and conditions to enhance legitimacy, thereby aiding in developing strategies to attain the desired IS goal level within the organization.