Information systems security policy implementation in practice: from best practices to situated practices

Organizations face institutional pressure to adopt information systems security (ISS) best practices to manage risks to their information assets. The literature shows that best practices should be contextualized, that is, translated from universal and general prescriptions into organizational documents and practices. Yet, little is known about how organizations actually make the translation from the best practices into situated practices. In this ethnographic study, we draw on practice theory and related concepts of canonical and non‐canonical practices to analyze the process of translation. We explore how an IT service provider translated the ISS best practice of information classification into an ISS policy and into situated practices. We identify three translation mechanisms: (1) translating global to local, (2) disrupting and reconstructing local non‐canonical practices, and (3) reconstructing and enacting local canonical practices. We find that while the translation was inhibited by incongruent practices, insufficient understanding of employees’ work, and the ISS managers’ lack of engagement in organizational practices, allowing situated practices to shape the ISS policy and actively engaging employees in the reconstruction of situated practices contributed positively to the translation. Contributions and implications for research and practice are discussed and conclusions are drawn.