The security that can be achieved through technical means is limited. Information security is achieved by implementing a suitable set of controls that include policies, processes, procedures, organizational structures, as well as software and hardware solutions.
Identifying which controls should be in place requires careful planning and attention to detail. A successful Information Security Management System (ISMS) requires support by all employees in the organization and may sometimes include external parties such as suppliers.