The ISO/IEC 17799 standard (2005) is commonly viewed as a necessary element in information security management. However, there is no empirical evidence of the usefulness of the standard in practice. To study this issue, this study analyses the implementation experiences of four organisations that have implemented the ISO/IEC 17799 (2005) standard. Through semi-structured interviews, the results of the study suggest that the standard served the needs of the small and medium-sized enterprises well and its intended usage correlates quite well with small and medium-sized organisations’ practice.