Information security incidents continue to grow exponentially amidst the development of advanced technological solutions aimed at protecting information system resources. Today, the growth in information systems’ breaches remains at an alarming rate. The strategies developed by malicious users are becoming more sophisticated in nature and are introduced unabated across various networks. However, security experts and developers are lagging behind in their response to the information security phenomenon. Today, developing countries continue struggling to effectively address information security issues and are becoming the main avenue for cyber criminals who capitalize on the weaknesses that exist in these regions. An effective response to information security requires a significant amount of resources. In developing countries there are limited human, financial and technological resources and weak legislative frameworks and these are fundamental requirements for combating cyber-crime. One major cyber-crime incident could be catastrophic for businesses and governments in these small, fragile economies and could have far reaching effects on their citizens. Knowledge management can be employed to assist in strengthening the capability of organizations and governments in the development of context-sensitive information security policies in developing regions. In this paper we present a knowledge acquisition model that brings together the two most widely adopted standards COBIT, ISO/IEC 27005 and tacit knowledge that exists in repositories (human) within the information security domain to support the development of context-sensitive information security policies. A quantitative methodology was used in the development of an artifact, preliminary evaluation was done using the informed argument approach and results and recommendations for future research are presented. This study can add to the limited literature on the use of knowledge management in the information security domain and the artifact presented can assist information security practitioners in small/medium-sized organizations.