When you´re into topics like ISMS, organizational risk mgt. or certifications check the free publications and detailed information from BSI here: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html
Here´s some important take home messages:
Your technical infrastructure might be outstandingly secure, though there are millions of new attacks every day so that at least a few might come through. Prevent breaches from phishing or other less elaborated attacks with a solid employee awareness (e.g. how to recognize malicious mails) and create a vivid risk management (e.g. create internal phishing attack simulations).
On the other side, specificly targeted attacks are comparably rare but extremely dangerous. Before starting the actual hack, criminals collect many specific information on different channels such as social media (always be aware of your company´s and employees´ web presence!) and use manipulative communication and spoofing to convince specific colleagues to “open the door” for them.
Make sure you set up an effective control of rights, access and authentication so at least you could retain some control on the damage or prevent it at all.
Conclusion: No matter how elaborated your tech-sec setup is – it´s just as strong as the people working in it.