As the cost and amount of information security breaches continue to rise, information security management becomes vital for organizations. Often organization seek advice from information security management standards and other frameworks to manage their information security. Such standards and frameworks depict information security management as a rational, systematic and linear process and leave out the complexity and uncertainty of real-life settings. In particular, they pay little attention to the organizational and social challenges inherent in information security management. Therefore, this study draws on the practice theory to develop a practice lens for understanding how people, practices and what happens in practice interact and create such challenges. This lens depicts information security management as emerging from mundane aspects of information security management work and from the enacted social structures of and events arising at an organization and its environment and enables a deeper understanding of the organizational and social challenges. After developing this lens, it is illustrated and elaborated through an ethnographic study at an IT service provider, and its contributions to research and practice discussed.