Purpose The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures. Design/methodology/approach A survey was designed and data were collected from information security managers in a selection of Norwegian organizations. Findings Technical‐administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness‐creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical‐administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures. Originality/value Provides insight into the non‐technological side of information security. While most other studies look at the effectiveness of single organizational security measures, the present study considers combinations of organizational security measures.