Information security is a central concern inside organisations, but it remains quite difficult for most small entities to implement and maintain information security. In this context, the Public Research Centre Henri Tudor and the Luxembourg's Ministry of Economy and Foreign Trade decided to enhance information security awareness and management in Luxembourg's small and medium enterprises. Therefore, our research work aims to propose a method adapted to small and medium enterprises to conduct a first assessment of the enterprises information security maturity and improve their process accordingly. This paper describes the framework developed and presents its validation in industry. The results of applying the method in industry are positive and show a lack in organisational maturity for the information security. The future challenge of this assessment method is to be integrated into an information security web platform and use the large amount of statistics to continuously improve and contextualise the proposed tool. Copyright © 2013 John Wiley & Sons, Ltd.