Information security should be today a key issue in any organization. With the implementation of information security management system (ISMS) the organization can identify and reduce risks in this area. This the area of information security management covers a numbers of ISO / IEC 27000 standards, which are based on best practice solutions. However, smaller organizations are often discourages with the implementation of these systems, because of fear of high cost and complexity. Especially due to the fact that the standards does not strictly require implementation of all security controls it is possible to implement these systems in small-size organizations. In this article, we want to point on this fact through describing practical experience with ISMS implementation in small-size organization.