In my literature research I have found several ways of handling information security. There is no grounded theory in the field of information security, but there are several guidelines, frameworks and standards, and there is a lot of research about these. I have also done research about the human factor, to verify that the topic is valid. I have done a CASE study of the enterprise; to get detailed information of how they handled information security. I found that the method that has been used and has parallels to frameworks and standards I found in the literature research. By my findings in the literature research and the CASE study, I have been able to develop a simple framework for handling information security in organizations. The framework is suited especially to medium organizations, with less ability to implement several frameworks and standards. Large companies can use frameworks like Cobit, ITIL and ISO standards. The key elements of the framework is a three dimensional cube containing the elements of business requirements, IT resources and information security requirements. I have not found any framework in literature that has linked this combination together.