AbstractDue to the growing dependence of information society on Information and Communication Technologies, the need to protect information is getting more and more important for enterprises. In this context, Information Security Management Systems (ISMSs), have arisen for supporting the processes and systems for effectively managing information security. The fact of having these systems available has become more and more vital for the evolution of Small and Medium-Sized Enterprises (SMEs), but however, this type of enterprises have special characteristics which make it difficult for them the correct deployment of ISMSs. In this article, we show the methodology that we have created for the development, implementation and maintenance of ISMSs, adapted for the needs and resources available for SMEs. This approach is being directly applied to real case studies and thus, we are obtaining a constant improvement in its application.