The security that can be achieved through technical means is limited. Information security is achieved by implementing a suitable set of controls that include policies, processes, procedures, organizational structures, as well as software and hardware solutions.

​

Identifying which controls should be in place requires careful planning and attention to detail. A successful Information Security Management System (ISMS) requires support by all employees in the organization and may sometimes include external parties such as suppliers.