The 3 pillars of information security

Many people mistakenly think that information security is all about technology. It obviously plays a massive part in any organization’s security measures, but technology alone can’t protect you from modern cyber threats. Rather, it forms one of three pillars on which an effective and robust information security management system (ISMS) is built on.

Let’s look at each of these pillars.


There are two key aspects to managing people. First, you need to make sure everyone in your organization is aware of their role in preventing and reducing cyber threats, whether it’s handling sensitive data, understanding how to spot phishing emails, or complying with a bring your own device (BYOD) policy.

Second, specialized technical cybersecurity staff need to stay up to date with the latest skills and qualifications to make sure that appropriate controls, technologies, and practices are implemented to fight the latest cyber threats. Cybersecurity staff who don’t meet these demands affect the organization’s ability to mitigate and respond to cyber attacks.


An organization’s processes define how its activities, roles, and documentation are used to mitigate the risks to its information. Cyber threats change quickly, so organizations need to continually review their processes.

Of course, these processes will be meaningless if staff don’t follow them.


Once an organization has identified the cyber risks it faces, it can determine the controls it needs to put in place and the technologies it needs to do this.

Depending on the results of its risk assessment, an organization can use technological defenses to prevent or mitigate cyber risks.

ISO 27001 – the standard that advocates the three pillars of information security

The international standard ISO 27001 describes best practice for an ISMS and advocates the combination of these three pillars. By maintaining an ISO 27001-compliant ISMS, you can make sure every aspect of cybersecurity is addressed in your organization.

iso27001 pocket guideGet an introduction to information security and ISO 27001 with our best-selling pocket guide.

Written by acknowledged ISO 27001 expert, Steve Watkins, An Introduction to Information Security and ISO 27001 (2013) A Pocket Guide, Second Edition is the ideal primer for anyone implementing an Information Security Management System (ISMS).

Find out more