A simplified ISMS : Investigating how an ISMS for a smaller organization can be implemented

Abstract: Over the past year, cyber threats have been growing tremendously, which has led to an essential need to strengthen the organization's security. One way of strengthening security is to implement an information security management system (ISMS). Although an ISMS will help improve the information security work within the business, organizations struggle with its implementation, and significantly smaller organizations. That results in smaller organization's information being potentially less protected.This thesis investigates how an ISMS based on MSB can be simplified to make it suitable for a small organization to implement. This thesis aims to open for further research about how it can be simplified and if it has a value of doing it.The study is based on a qualitative approach where semi-structured interviews with experts were conducted. This thesis concludes that it is possible to simplify an ISMS based on MSB for a small organization by removing external analysis, information classification, information classification model, continuity management for information assets, and incident management. In addition, the study provides tips on what a small organization should think about before and during implementation.