The paper emphasizes that the precise awareness of information security policy, its aspects and practices is a significant point that organizations must pay attention to prevent potential security threats. However, some Saudi organizations lack the security awareness. This paper represents some previous studies that were conducted to evaluate the state of policy and information security awareness and application in a Saudi organization. The paper considers a small Saudi organization to perform a case study, to audit its state and describe the possible risk scenarios that may take place. Most information about the company was gathered by interviewing its CEO. The audit found five possible risk scenarios, named lack of security policy, personal information leakage from the website, the risk of damage of the CEO's device and two scenarios related to outsourcing companies. The paper provided some recommendations to the audited organization which may serve other organizations that have the same characteristics, which are adopting and documenting a comprehensive security policy and procedures from beginning stages of a company, ensure that the employees are aware of these documents and the required practices to secure sensitive information. In addition, introduce a mechanism to ensure that security controls are met and to secure personal information transmitted over their website and recommending to regularly checks that the website is bugs free. Additionally, recommends considering more security details on the outsourcing contracts and involve a specialized attorney on it. Also, prefer short-term out-sourcing contracts and take possible alternatives third-party companies into consideration as a precaution.