The 3 pillars of information security

Many people mistakenly think that information security is all about technology. It obviously plays a massive part in any organization’s security measures, but technology alone can’t protect you from modern cyber threats. Rather, it forms one of three pillars on which an effective and robust information security management system (ISMS) is built on.

Let’s look at each of these pillars.


There are two key aspects to managing people. First, you need to make sure everyone in your organization is aware of their role in preventing and reducing cyber threats, whether it’s handling sensitive data, understanding how to spot phishing emails, or complying with a bring your own device (BYOD) policy.

Second, specialized technical cybersecurity staff need to stay up to date with the latest skills and qualifications to make sure that appropriate controls, technologies, and practices are implemented to fight the latest cyber threats. Cybersecurity staff who don’t meet these demands affect the organization’s ability to mitigate and respond to cyber attacks.


An organization’s processes define how its activities, roles, and documentation are used to mitigate the risks to its information. Cyber threats change quickly, so organizations need to continually review their processes.

Of course, these processes will be meaningless if staff don’t follow them.


Once an organization has identified the cyber risks it faces, it can determine the controls it needs to put in place and the technologies it needs to do this.

Depending on the results of its risk assessment, an organization can use technological defenses to prevent or mitigate cyber risks.

ISO 27001 – the standard that advocates the three pillars of information security

The international standard ISO 27001 describes best practice for an ISMS and advocates the combination of these three pillars. By maintaining an ISO 27001-compliant ISMS, you can make sure every aspect of cybersecurity is addressed in your organization.

Our ISO 27001 DIY packages offer a flexible way of implementing ISO 27001. You can select the package that’s suitable for your needs – whether you’re looking for implementation guides, toolkits, training courses, or consultancy.

You can access our comprehensive suite of expertly developed tools and resources in the most efficient and cost-effective format available.

Find out more about our ISO 27001 DIY packages >>