This study explores the role of norms in employees' compliance with an organizational information security policy (ISP). Drawing upon norm activation theory, social norms theory, and ethical climate literature, we propose a model to examine how ISP-related personal norms are developed and then activated to affect employees' ISP compliance behavior. We collected our data through Amazon Mechanical Turk for hypothesis testing. The results show that ISP-related personal norms lead to ISP compliance behavior, and the effect is strengthened by ISP-related ascription of personal responsibility. Social norms related to ISP (including injunctive and subjective norms), awareness of consequences, and ascription of personal responsibility shape personal norms. Social norms related to ISP are the product of principle ethical climate in an organization. •This study explores the role of norms in employees' compliance with organizational information security policies (ISP).•ISP-related personal norms lead to ISP compliance behavior, and the effect is strengthened by ISP-related ascription of personal responsibility.•Social norms related to ISP, awareness of consequences, and ascription of personal responsibility shape personal norms.•Social norms related to ISP are the product of principle ethical climate in an organization.