Many information systems have not been designed to be secure when it comes to strict adherence to compliance standards.
The security that can be achieved through technical means is limited. Information security is achieved by implementing a suitable set of controls that include policies, processes, procedures, organizational structures, as well as software and hardware solutions.
Identifying which controls should be in place requires careful planning and attention to detail. A successful Information Security Management System (ISMS) requires support by all employees in the organization and may sometimes include external parties such as suppliers.