Organizations face institutional pressure to adopt information systems
security (ISS) best practices to manage risks to their information
assets. The literature shows that best practices should be
contextualized, that is, translated from universal and general
prescriptions into organizational documents and practices. Yet, little
is known about how organizations actually make the translation from the
best practices into situated practices. In this ethnographic study, we
draw on practice theory and related concepts of canonical and
non-canonical practices to analyze the process of translation. We
explore how an IT service provider translated the ISS best practice of
information classification into an ISS policy and into situated
practices. We identify three translation mechanisms: (1) translating
global to local, (2) disrupting and reconstructing local non-canonical
practices, and (3) reconstructing and enacting local canonical
practices. We find that while the translation was inhibited by
incongruent practices, insufficient understanding of employees’ work,
and the ISS managers’ lack of engagement in organizational practices,
allowing situated practices to shape the ISS policy and actively
engaging employees in the reconstruction of situated practices
contributed positively to the translation. Contributions and
implications for research and practice are discussed and conclusions are
drawn.