In recent years, the number of cyber (information security) attacks has been increasing all over the world and such attacks are constantly evolving and cause huge damage. In order to protect the operation of enterprises, the enterprise leaders have the responsibility to take information security measures. The internationally certified ISMS (Information Security Management Systems) is a systematic management mechanism for achieving effective control and continuous operation. The purpose of this study is to understand, when introducing ISMS, what supporting measures or conditions the organization will need in order to effectively implement the system. This study is based on qualitative research carried out by interviews, and from the aspect of the adaptive structural theory, four companies have been chosen as the study objects. This study is to find what complementary assets and critical success factors are required for the organization from the experience of actually introducing ISMS. The results show the difficulties during introduction and the solutions.