For enterprises to be able to properly use information and communications technologies, it is necessary to have guides, metrics and tools that allow us to always know the level of our security and the points in which we are not covering it. In small and medium-size enterprises, the application of security standards has an additional problem, that is, the fact that they do not have enough resources to perform an appropriate management. In this paper, we will present a new approach to manage security within this kind of enterprises, adapted to the size of the enterprise and its maturity level, using as a reference ISO/IEC 17799. This approach is being directly applied to real cases and it is obtaining a constant improvement in its application.