This study proposes an assurance case description method, based on the framework of Information Security Management System (ISMS; ISO 27001), for agreeing to information security policies through co-creation of values between a parent company and its subsidiary or subsidiaries which are merged or acquired. Information security policy varies among companies. Parent companies need to agree with their merged or acquired companies on the information security policies in order to maintain the existing business of the subsidiaries while the parent companies continue to use the current IT infrastructure and network. This study first structuralizes ISO 27001 by using an assurance case. We then show the items that a parent company and its subsidiary do not agree to information security policies based on each company's policy. As a result, this study will: 1) Clarify the range of agreement and disagreement between the two companies' information security policies; and 2) show how two companies mutually conclude a final agreement for the entire range using the assurance case created. We asked them how three experts in information security evaluate the Understanding, Utility and Effectiveness of the proposed assurance case description method, which the studied participants used to create the assurance case.