Information security management is an area with a lot of theoretical models. The models are designed to guide practitioners in prioritizing management resources in companies. Information security management education should address the gap between the academic ideals and practice. This paper introduces a teaching method that has been in use as coursework for ten years. In addition to the theoretical lectures on information security management issues, the students of the course perform information security assessments of local small and medium enterprises (SME). The general assessment of the information security status of a company gives the students a view into what the companies have taken into practice and if they have used theoretical models to guide their work. The analysis of the status and suggestions for improvements also teach the students to scale the theory with the size and operations of the company. This is important because usually information security management literature takes the viewpoint of large organizations, whereas the companies that participate in the assessment are small or medium-sized. Course feedback from the students shows that the assignment is perceived to be useful and interesting, and that it works well when paired with the theoretical teaching of the course. The students find working with real companies motivating, and state that they have learned more than they would have learned on a purely theoretical course. The paper discusses experiences from the course to present a teaching and learning method worth experimenting with in other universities. (Contains 2 tables.)