Effective information security management is necessary in the success of any organisation, including Small-and-Medium-Sized Enterprises (SMEs). Nonetheless, keeping their security needs met is always a challenge for SMEs. One of the proven ways to manage information security is through applying available international standards, frameworks and best practices. However, choosing a suitable model that addresses the SMEs holistic needs may be an overwhelming task. This systematic literature review formed the initial phase of a larger analytical project of existing models in three categories: risk management models, standards-based models and ‘other’ models. The review showed that most of models are theoretically conceived but have not been further tested empirically. Hence, their usability is unknown. More in-depth research is required to find a suitable model that may be applicable to all SMEs.