Concern for information security is a major driver for policy implementation, and with new reg-ulations like the General Data Protection Regulation, almost all types of organisations face the challenge of implementing and applying information security policies. Information security standards guide these processes, but the challenge of ensuring compliance is still a major issue, despite extensive information security research in this aspect. The lack of versatility in theoreti-cal approaches led to calls for sociological approaches to contribute to the literature, but they were only partly addressed. The proposed framework of convention theory can serve as a fruit-ful approach, providing a pragmatic and contextualized perspective and a strong theoretical foundation from sociology. By adopting a conventionalist view of information security policies, attention is focused on issues of legitimacy without limiting the analysis to a solely structuralist perspective. This research in progress tries to take first steps in building a conventionalist framework for case-based research by introducing some of the main concepts of convention theory and illustrates possible implications for information security research and practice.