LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three pillars of information security, and why does relying on just one fail?

Information security stands on three pillars — technology, processes, and people — and it is only as strong as the weakest of them; a firewall means nothing if the process is undefined or an employee clicks the phishing link.

Three pillars of information security: technology (buy & configure), processes (define & control), people (raise awareness & train).

* Information security rests on three complementary pillars — technology, processes, and people — and is only as strong as its weakest one. *

Pillar What you do with it Example
Technology (Technik) Buy and configure it Firewalls, encryption, patch management
Processes (Prozesse) Define and control them Access-request workflow, incident response, backups
People (Menschen) Raise awareness and train them Phishing training, clean-desk habits, reporting culture

The point of the model is that these are complementary, not interchangeable: the best technology is undermined by a sloppy process, and the tightest process is undermined by an untrained or careless person. This is exactly why a management standard like ISO 27001 or BSI IT-Grundschutz spans all three — it manages processes and people (policies, roles, training, audits), not just technical controls. "We already have a firewall" fails because it addresses one pillar and ignores the other two.

Tip: Buy/configure → define/control → sensitize/train. Match each verb pair to its pillar (technology, process, people).

Go deeper:

From Quiz: ISM / Standards & Frameworks I (ISO, BSI) | Updated: Jul 14, 2026