In order to evaluate the metamodel for its practicality, activities in information security management need to be identified. Most activities are linked to the three main questions information security managers are facing in their work: 1) What needs to be protected? 2) Against what does it have to be protected? 3) How can it be protected? Answering these three fundamental questions reveals the identification of assets, the identification of threats and the identification and selection of appropriate countermeasures as main activities.