Information security is topic of everyday interest, with mainstream media reports revealing information security incidents in many different areas. These reports demonstrate the importance to any organization of having an Information Security Management System (ISMS). Foreseeing potential security risks is usually key to successful risk management. Available information security standards such as the ISO 27000 set of standards give a formal framework for successful information security management in any size of organization or company. In this paper, the authors draw on experience gained during a project leading to successful ISO 27001 certification at the Central Bank of Bosnia and Herzegovina in 2009.