ISO/IEC 27036-3:2013

INTERNATIONAL ISO/IEC
STANDARD 27036-3
First edition
2013-11-15
Information technology — Security
techniques — Information security for
supplier relationships —
Part 3:
Guidelines for information and
communication technology supply
chain security
Technologies de l’information — Techniques de sécurité — Sécurité
d’information pour la relation avec le fournisseur —
Partie 3: Lignes directrices pour la sécurité de la chaîne de fourniture
des technologies de la communication et de l’information
Reference number
ISO/IEC 27036-3:2013(E)
ISO/IEC 2013
---------------------- Page: 1 ----------------------
ISO/IEC 27036-3:2013(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2013

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Structure of this standard ........................................................................................................................................................................... 2

5 Key concepts ............................................................................................................................................................................................................. 2

5.1 Business case for ICT supply chain security .................................................................................................................. 2

5.2 ICT supply chain risks and associated threats ............................................................................................................. 3

5.3 Acquirer and supplier relationship types ........................................................................................................................ 3

5.4 Organizational capability ............................................................................................................................................................... 4

5.5 System lifecycle processes ............................................................................................................................................................ 4

5.6 ISMS processes in relation to system lifecycle processes .................................................................................. 5

5.7 ISMS information security controls in relation to ICT supply chain security ................................... 5

5.8 Essential ICT supply chain security practices .............................................................................................................. 5

6 ICT supply chain security in Lifecycle Processes ................................................................................................................ 7

6.1 Agreement Processes ........................................................................................................................................................................ 7

6.2 Organizational Project-Enabling Processes ................................................................................................................10

6.3 Project Processes ...............................................................................................................................................................................13

6.4 Technical Processes .........................................................................................................................................................................15

Annex A (informative) Summary of Supply and Acquisition Processes from ISO/IEC 15288 and

ISO/IEC 12207 ......................................................................................................................................................................................................24

Annex B (informative) Clause 6 mapping to ISO/IEC 27002 .....................................................................................................35

Bibliography .............................................................................................................................................................................................................................37

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting.

Publication as an International Standard requires approval by at least 75 % of the national bodies

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27036-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

ISO/IEC 27036 consists of the following parts, under the general title Information technology — Security

— Part 3: Guidelines for information and communication technology supply chain security

Information and Communication Technology (ICT) products and services are developed, integrated, and

delivered globally through deep and physically dispersed supply chains. ICT products are assembled from

many components provided by many suppliers. ICT services throughout the entire supplier relationship

are also delivered through multiple tiers of outsourcing and supply chaining. Acquirers do not have

visibility into the practices of hardware, software, and service providers beyond first or possibly second

link of the supply chain. With the substantial increase in the number of organizations and people who

“touch” an ICT product or service, the visibility into the practices by which these products and services

are put together has decreased dramatically. This lack of visibility, transparency, and traceability into

This standard provides guidance to ICT product and service acquirers and suppliers to reduce or manage

information security risk. This standard identifies the business case for ICT supply chain security,

specific risks and relationship types as well as how to develop an organizational capability to manage

information security aspects and incorporate a lifecycle approach to manage risks supported by specific

— Increased ICT supply chain visibility and traceability to enhance information security capability;

— Increased understanding by the acquirers of where their products or services are coming from, and

of the practices used to develop, integrate, or operate these products or services, to enhance the

— In case of an information security compromise, the availability of information about what may have

This international standard is intended to be used by all types of organizations that acquire or supply

ICT products and services in the ICT supply chain. The guidance is primarily focused on the initial link

of the first acquirer and supplier, but the principle steps should be applied throughout the chain, starting

when the first supplier changes its role to being an acquirer and so on. This change of roles and applying

the same steps for each new acquirer-supplier link in the chain is the essential intention of the standard.

By following this international standard, information security implications can be communicated

among organizations in the chain. This helps identifying information security risks and their causes and

may enhance the transparency throughout the chain. Information security concerns related to supplier

relationships cover a broad range of scenarios. Organizations desiring to improve trust within their ICT

supply chain should define their trust boundaries, evaluate the risk associated with their supply chain

activities, and then define and implement appropriate risk identification and mitigation techniques to

reduce the risk of vulnerabilities being introduced through their ICT supply chain.

ISO/IEC 27001 and ISO/IEC 27002 framework and controls provide a useful starting point for identifying

appropriate requirements for acquirers and suppliers. ISO/IEC 27036 provides further detail regarding

specific requirements to be used in establishing and monitoring supplier relationships.

This part of ISO/IEC 27036 provides product and service acquirers and suppliers in ICT supply chain

a) gaining visibility into and managing the information security risks caused by physically dispersed

b) responding to risks stemming from the global ICT supply chain to ICT products and services that

can have an information security impact on the organizations using these products and services.

These risks can be related to organizational as well as technical aspects (e.g. insertion of malicious

c) integrating information security processes and practices into the system and software lifecycle

processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security

This part of ISO/IEC 27036 does not include business continuity management/resiliency issues involved

The following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

ISO/IEC 27036-1, Information technology — Security techniques — Information security for supplier

ISO/IEC 27036-2, Information technology — Security techniques — Information security for supplier

For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27036-1

property of a system and its parts to perform its mission accurately and without failure or significant

Note 1 to entry: A system element is a discrete part of a system that can be implemented to fulfil specified

requirements. A system element can be hardware, software, data, humans, processes (e.g. processes for providing

required functionality to users), procedures (e.g. operator instructions), facilities, materials, and naturally

property that allows the tracking of the activity of an identity, process, or an element throughout

confirmation, through the provision of objective evidence, that the requirements for a specific intended

Note 1 to entry: Validation is the set of activities ensuring and gaining confidence that a system is able to accomplish

its intended use, goals and objectives (i.e. meet stakeholder requirements) in the intended operational environment.

confirmation, through the provision of objective evidence, that specified requirements have been fulfilled

Note 1 to entry: Verification is a set of activities that compares a system or system element against the required

characteristics. This may include, but is not limited to, specified requirements, design description and the system itself.

This standard is structured to be harmonized with ISO/IEC 15288 and ISO/IEC 12207. Clause 6

mirrors lifecycle processes provided in those two standards. This standard is also harmonized with

ISO/IEC 27002 and references relevant information security controls within the lifecycle processes with

The documents named in this standard are generic and do not need to be elaborate or separate

documents. Organizations should use existing documents to integrate ICT supply chain security.

Organizations acquire ICT products and services from numerous suppliers who may in turn acquire

components from other suppliers. The information security risks associated with these dispersed and

multi-layered ICT supply chains can be managed through the application of risk management practices and

trusted relationships, thereby increasing visibility, traceability and transparency in the ICT supply chain.

For example, increased visibility into the ICT supply chain is obtained by defining adequate information

security and quality requirements, and ongoing monitoring of suppliers and their products and services

once a supplier relationship is in operation. Identifying and tracking individuals accountable for quality

and security for critical elements provides greater traceability. Establishing contractual requirements

and expectations, as well as reviewing processes and practices provides much needed transparency.

Acquirers should establish an understanding within their organizations regarding the ICT supply chain

risks and their possible impacts on businesses. Specifically, acquirer’s management should be aware

that practices of suppliers throughout the supply chain can have impacts on whether resulting products

and services can be trusted to protect acquirer’s business, information, and information systems.

In a supply chain, information security management of an individual organization (acquirer or supplier)

is not sufficient to maintain information security of the ICT products or services throughout their supply

chain. The acquirer’s management of the ICT sourcing of suppliers, products or services is essential for

Acquiring ICT products and services presents special risks to acquirers in terms of managing information

security risks. As global ICT supply chains get more physically dispersed and traverse multiple

international and organizational boundaries, specific manufacturing and operation practices applied

to individual ICT elements (products, services, and their components) become more difficult to trace

including identifying individuals accountable for quality and security of those elements. This creates a

general lack of traceability throughout the ICT supply chain which in turn results in higher risk of

— Compromise to acquirers’ information security and therefore to business operations through intentional

events such as malicious code insertion and presence of counterfeit products in the ICT supply chain

Both intentional and unintentional events may result in a compromise to acquirer’s data and operations

including intellectual property theft, data leakage, and reduced ability by acquirers to perform their

business functions. Any of these identified concerns, if they were to occur, can harm the reputation of

ICT product and service acquirers and suppliers may involve multiple entities in a variety of supply

a) ICT system management support where systems are owned by acquirer and managed by supplier;

b) ICT systems or services providers where systems or resources are owned and managed by the supplier;

c) Product development, design, engineering and build where supplier provides all or parts of the

Acquirers’ level of risk and need for trust in supplier relationships increases when granting a supplier a

greater level of access to the acquirers’ information and information systems and acquirers’ dependency

on the supplied ICT products and services. For example, acquiring ICT system management support

has sometimes higher risk then acquiring open source or commercial off-the-shelf products. From the

supplier’s perspective, any compromises to the acquirer’s information can harm supplier reputation and

trust with the specific acquirer whose information and information systems have been compromised.

To help manage the uncertainty and risks associated with supplier relationships, acquirers and suppliers

should establish a dialogue and reach an understanding regarding mutual expectations about protecting

To manage risks associated with the ICT supply chain throughout ICT products and services lifecycle,

acquirers and suppliers should implement an organizational capability for managing information

security aspects of supplier relationships. This capability should establish and monitor ICT supply chain

security objectives for the acquirer organization and monitor achievement of these objectives including

a) Define, select, and implement the strategy for management of information security risks caused by

1) Establish and maintain a plan for identifying potential ICT supply chain-related vulnerabilities

before they are exploited; in addition, have a plan for mitigating adverse impacts.

2) Identify and document information security risks associated with the ICT supply chain-related

b) Establish and adhere to baseline information security controls as a prerequisite to robust supplier

c) Establish and adhere to baseline system and software lifecycle processes and practices for

establishing robust supplier relationships in regards to ICT supply chain information security risk

d) Have a set of baseline information security requirements that apply to all supplier relationships and

e) Establish a repeatable and testable process for establishing information security requirements

associated with new supplier relationships, managing existing supplier relationships, verifying and

validating that suppliers are complying with acquirer’s information security requirements, and

f) Establish change management processes to ensure changes that potentially affect information

g) Define methods for identifying and managing incidents related to or caused by ICT supply chain and

Lifecycle processes can help set expectations between acquirers and suppliers for rigor and accountability

with regards to information security. Acquirers can implement lifecycle processes internally, to increase

the rigor with which they establish and manage supplier relationships. Suppliers can implement lifecycle

processes to help demonstrate rigor that suppliers apply to system and software processes with respect

to supplier relationships. While having those processes in place will be helpful for both acquirers and

suppliers in beginning to address ICT supply chain risks, additional ICT supply chain security activities

Systems and software present many of the ICT supply chain risks. Using a lifecycle approach provided

in ISO/IEC 15288 and ISO/IEC 12207 offers an established way of managing those risks. Both standards

provide a set of the same processes as they apply to the specific context of systems or software.

ISO/IEC 12207 is a special case of applying ISO/IEC 15288. Both standards allow for the use of any

lifecycle or lifecycle model and present a set of processes that can be used within any lifecycle or any

lifecycle phase as appropriate. For example, the Configuration Management process can be used both

during system or software development and in operations and maintenance lifecycle phases. This

standard adopts the same approach as those two standards, describing each process at a summary level

Clause 5.8 provides a summary of specific ICT supply chain security practices. Clause 6 provides a

mapping of these ICT supply chain security activities for each lifecycle process. Acquirers and suppliers

should select those activities that are relevant to their organization’s supplier relationship capabilities,

as well as to individual supplier relationships, based on the level of risk presented by suppliers or

ISO/IEC 27001 provides a risk-based process for implementing an information security management

system (ISMS) within a defined scope. Existence of an ISMS within both acquirer and supplier

organizations will help acquirers and suppliers begin addressing ICT supply chain risks and realizing

the need for specific information security controls and processes needed to address these risks.

NOTE This assumes that the scope of the ISMS includes the specific part of the organization that establishes

If an organization defines risks inherent in the ICT supply chain, specific controls that mitigate these

risks should be selected, potentially with extended controls added to ensure that the organization fully

addresses these risks. Clause 5.5 addresses use of information security controls. Annex B maps specific

Suppliers can demonstrate to acquirers that they have a certain level of rigor through demonstrating

When acquirers and suppliers establish ISMSs according to ISO/IEC 27001, the information generated

should be used to communicate the status of information security management between an acquirer

ISO/IEC 27002 includes a number of controls that specifically target external parties, including

suppliers. Clause 15 of ISO/IEC 27002 provides specific guidance for supplier relationships. These and

additional extended controls can be used within the context of the lifecycle processes to help acquirers

in validating specific supplier practices to ensure information security of acquirers’ information and

Some of the ICT supply chain risks can be addressed by applying the standards providing lifecycle

processes (ISO/IEC 15288 and ISO/IEC 12207), requirements for establishing ISMS (ISO/IEC 27001),

and information security controls (ISO/IEC 27002). More detailed practices are required to fully address

a) Chain of custody: the acquirer and supplier have the confidence that each change and handoff made

b) Least privilege access: personnel can access critical information and information systems with only

c) Separation of duties: control the process of creation, modification, or deletion of data or the process

of development, operation, or removal of hardware and software by ensuring that no one person or

d) Tamper resistance and evidence: attempts to tamper are obstructed, and when they occur they are

e) Persistent protection: critical data and information are protected in ways that remain effective

even if the data or information are transferred from the location where it was created or modified;

f) Compliance management: the success of the protections within the agreement can be continually

g) Code assessment and verification: methods for code inspection are applied and suspicious code is

h) ICT supply chain security training: organization’s ability to effectively train relevant personnel on

information security practices. This should include secure development practices, recognition of

i) Vulnerability assessment and response: a formal understanding by acquirer of how well their

suppliers are equipped with the capability to collect input on vulnerabilities from researchers,

customers, or sources, and produce a meaningful impact analysis and appropriate remedies in

the short timeframe involved. This should include acquirer and supplier agreement on systematic

j) Defined expectations: clear language regarding the requirements to be met by the element and