This paper introduces the concept of an “IT-centric ISMS”, which deviates from traditional approaches to establishing an ISMS by emphasising IT security. Unlike resource-intensive holistic information security programs, the IT-centric ISMS is designed and managed solely by the IT unit. To implement this approach effectively, security specialists should evaluate the suitability of controls within security frameworks and select those best suited to organisational objectives and limitations. To meet this need, this paper proposes a method for evaluating security controls across frameworks, thus facilitating the selection of controls that fit the purpose.