Transforming Information Security to Comply with Legislation: A Client Case Study