Defence in Depth is a security strategy that layers multiple independent protective controls in sequence. If one layer fails, the next one catches the attack.
Typical layers include perimeter firewalls, network segmentation, endpoint protection, application security, encryption, and organizational measures such as training. The concept originates from military doctrine and is one of the oldest principles in information security. ISO 27001 Annex A implicitly requires it by mandating technical, organizational, and physical controls together. Its strength lies in the fact that no single failure compromises the entire system.