Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for information and communication technology supply chain security

ISO/IEC 27036-3:2013 provides product and service acquirers and suppliers in the information and communication technology (ICT) supply chain with guidance on: gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered ICT supply chains; responding to risks stemming from the global ICT supply chain to ICT products and services that can have an information security impact on the organizations using these products and services. These risks can be related to organizational as well as technical aspects (e.g. insertion of malicious code or presence of the counterfeit information technology (IT) products); integrating information security processes and practices into the system and software lifecycle processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security controls, described in ISO/IEC 27002. ISO/IEC 27036-3:2013 does not include business continuity management/resiliency issues involved with the ICT supply chain. ISO/IEC 27031 addresses business continuity.

Technologies de l'information — Techniques de sécurité — Sécurité d'information pour la relation avec le fournisseur — Partie 3: Lignes directrices pour la sécurité de la chaîne de fourniture des technologies de la communication et de l'information

General Information

Status
Published
Publication Date
07-Nov-2013
Current Stage
9092 - International Standard to be revised
Completion Date
19-Apr-2021
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 27036-3:2013 - Information technology -- Security techniques -- Information security for supplier relationships
English language
37 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 27036-3
First edition
2013-11-15
Information technology — Security
techniques — Information security for
supplier relationships —
Part 3:
Guidelines for information and
communication technology supply
chain security
Technologies de l’information — Techniques de sécurité — Sécurité
d’information pour la relation avec le fournisseur —
Partie 3: Lignes directrices pour la sécurité de la chaîne de fourniture
des technologies de la communication et de l’information
Reference number
ISO/IEC 27036-3:2013(E)
ISO/IEC 2013
---------------------- Page: 1 ----------------------
ISO/IEC 27036-3:2013(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2013

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27036-3:2013(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Structure of this standard ........................................................................................................................................................................... 2

5 Key concepts ............................................................................................................................................................................................................. 2

5.1 Business case for ICT supply chain security .................................................................................................................. 2

5.2 ICT supply chain risks and associated threats ............................................................................................................. 3

5.3 Acquirer and supplier relationship types ........................................................................................................................ 3

5.4 Organizational capability ............................................................................................................................................................... 4

5.5 System lifecycle processes ............................................................................................................................................................ 4

5.6 ISMS processes in relation to system lifecycle processes .................................................................................. 5

5.7 ISMS information security controls in relation to ICT supply chain security ................................... 5

5.8 Essential ICT supply chain security practices .............................................................................................................. 5

6 ICT supply chain security in Lifecycle Processes ................................................................................................................ 7

6.1 Agreement Processes ........................................................................................................................................................................ 7

6.2 Organizational Project-Enabling Processes ................................................................................................................10

6.3 Project Processes ...............................................................................................................................................................................13

6.4 Technical Processes .........................................................................................................................................................................15

Annex A (informative) Summary of Supply and Acquisition Processes from ISO/IEC 15288 and

ISO/IEC 12207 ......................................................................................................................................................................................................24

Annex B (informative) Clause 6 mapping to ISO/IEC 27002 .....................................................................................................35

Bibliography .............................................................................................................................................................................................................................37

© ISO/IEC 2013 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27036-3:2013(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting.

Publication as an International Standard requires approval by at least 75 % of the national bodies

casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27036-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.

ISO/IEC 27036 consists of the following parts, under the general title Information technology — Security

techniques — Information security for supplier relationships:
— Part 1: Overview and concepts
— Part 2: Requirements

— Part 3: Guidelines for information and communication technology supply chain security

The following part is under preparation:
— Part 4: Guidelines for security of cloud services.
iv © ISO/IEC 2013 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27036-3:2013(E)
Introduction

Information and Communication Technology (ICT) products and services are developed, integrated, and

delivered globally through deep and physically dispersed supply chains. ICT products are assembled from

many components provided by many suppliers. ICT services throughout the entire supplier relationship

are also delivered through multiple tiers of outsourcing and supply chaining. Acquirers do not have

visibility into the practices of hardware, software, and service providers beyond first or possibly second

link of the supply chain. With the substantial increase in the number of organizations and people who

“touch” an ICT product or service, the visibility into the practices by which these products and services

are put together has decreased dramatically. This lack of visibility, transparency, and traceability into

the ICT supply chain poses risks to acquiring organizations.

This standard provides guidance to ICT product and service acquirers and suppliers to reduce or manage

information security risk. This standard identifies the business case for ICT supply chain security,

specific risks and relationship types as well as how to develop an organizational capability to manage

information security aspects and incorporate a lifecycle approach to manage risks supported by specific

controls and practices. Its application is expected to result in:

— Increased ICT supply chain visibility and traceability to enhance information security capability;

— Increased understanding by the acquirers of where their products or services are coming from, and

of the practices used to develop, integrate, or operate these products or services, to enhance the

implementation of information security requirements;

— In case of an information security compromise, the availability of information about what may have

been compromised and who the involved actors may be.

This international standard is intended to be used by all types of organizations that acquire or supply

ICT products and services in the ICT supply chain. The guidance is primarily focused on the initial link

of the first acquirer and supplier, but the principle steps should be applied throughout the chain, starting

when the first supplier changes its role to being an acquirer and so on. This change of roles and applying

the same steps for each new acquirer-supplier link in the chain is the essential intention of the standard.

By following this international standard, information security implications can be communicated

among organizations in the chain. This helps identifying information security risks and their causes and

may enhance the transparency throughout the chain. Information security concerns related to supplier

relationships cover a broad range of scenarios. Organizations desiring to improve trust within their ICT

supply chain should define their trust boundaries, evaluate the risk associated with their supply chain

activities, and then define and implement appropriate risk identification and mitigation techniques to

reduce the risk of vulnerabilities being introduced through their ICT supply chain.

ISO/IEC 27001 and ISO/IEC 27002 framework and controls provide a useful starting point for identifying

appropriate requirements for acquirers and suppliers. ISO/IEC 27036 provides further detail regarding

specific requirements to be used in establishing and monitoring supplier relationships.

© ISO/IEC 2013 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27036-3:2013(E)
Information technology — Security techniques —
Information security for supplier relationships —
Part 3:
Guidelines for information and communication technology
supply chain security
1 Scope

This part of ISO/IEC 27036 provides product and service acquirers and suppliers in ICT supply chain

with guidance on:

a) gaining visibility into and managing the information security risks caused by physically dispersed

and multi-layered ICT supply chains;

b) responding to risks stemming from the global ICT supply chain to ICT products and services that

can have an information security impact on the organizations using these products and services.

These risks can be related to organizational as well as technical aspects (e.g. insertion of malicious

code or presence of the counterfeit information technology (IT) products);

c) integrating information security processes and practices into the system and software lifecycle

processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security

controls, described in ISO/IEC 27002.

This part of ISO/IEC 27036 does not include business continuity management/resiliency issues involved

with the ICT supply chain. ISO/IEC 27031 addresses business continuity.
2 Normative references

The following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

systems — Overview and vocabulary

ISO/IEC 27036-1, Information technology — Security techniques — Information security for supplier

relationships — Part 1: Overview and concepts

ISO/IEC 27036-2, Information technology — Security techniques — Information security for supplier

relationships — Part 2: Requirements
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27036-1

and the following apply.
3.1
reliability

property of a system and its parts to perform its mission accurately and without failure or significant

degradation
© ISO/IEC 2013 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 27036-3:2013(E)
3.2
system element
member of a set of elements that constitutes a system

Note 1 to entry: A system element is a discrete part of a system that can be implemented to fulfil specified

requirements. A system element can be hardware, software, data, humans, processes (e.g. processes for providing

required functionality to users), procedures (e.g. operator instructions), facilities, materials, and naturally

occurring entities (e.g. water, organisms, minerals), or any combination.
[SOURCE: ISO/IEC 15288:2008, definition 4.32]
3.3
transparency
property of a system or process to imply openness and accountability
3.4
traceability

property that allows the tracking of the activity of an identity, process, or an element throughout

the supply chain
3.5
validation

confirmation, through the provision of objective evidence, that the requirements for a specific intended

use or application have been fulfilled

Note 1 to entry: Validation is the set of activities ensuring and gaining confidence that a system is able to accomplish

its intended use, goals and objectives (i.e. meet stakeholder requirements) in the intended operational environment.

[SOURCE: ISO/IEC 15288:2008, definition 4.37]
3.6
verification

confirmation, through the provision of objective evidence, that specified requirements have been fulfilled

Note 1 to entry: Verification is a set of activities that compares a system or system element against the required

characteristics. This may include, but is not limited to, specified requirements, design description and the system itself.

[SOURCE: ISO/IEC 15288:2008, definition 4.38]
4 Structure of this standard

This standard is structured to be harmonized with ISO/IEC 15288 and ISO/IEC 12207. Clause 6

mirrors lifecycle processes provided in those two standards. This standard is also harmonized with

ISO/IEC 27002 and references relevant information security controls within the lifecycle processes with

the mapping provided in Annex B.

The documents named in this standard are generic and do not need to be elaborate or separate

documents. Organizations should use existing documents to integrate ICT supply chain security.

5 Key concepts
5.1 Business case for ICT supply chain security

Organizations acquire ICT products and services from numerous suppliers who may in turn acquire

components from other suppliers. The information security risks associated with these dispersed and

multi-layered ICT supply chains can be managed through the application of risk management practices and

trusted relationships, thereby increasing visibility, traceability and transparency in the ICT supply chain.

For example, increased visibility into the ICT supply chain is obtained by defining adequate information

security and quality requirements, and ongoing monitoring of suppliers and their products and services

2 © ISO/IEC 2013 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27036-3:2013(E)

once a supplier relationship is in operation. Identifying and tracking individuals accountable for quality

and security for critical elements provides greater traceability. Establishing contractual requirements

and expectations, as well as reviewing processes and practices provides much needed transparency.

Acquirers should establish an understanding within their organizations regarding the ICT supply chain

risks and their possible impacts on businesses. Specifically, acquirer’s management should be aware

that practices of suppliers throughout the supply chain can have impacts on whether resulting products

and services can be trusted to protect acquirer’s business, information, and information systems.

5.2 ICT supply chain risks and associated threats

In a supply chain, information security management of an individual organization (acquirer or supplier)

is not sufficient to maintain information security of the ICT products or services throughout their supply

chain. The acquirer’s management of the ICT sourcing of suppliers, products or services is essential for

information security.

Acquiring ICT products and services presents special risks to acquirers in terms of managing information

security risks. As global ICT supply chains get more physically dispersed and traverse multiple

international and organizational boundaries, specific manufacturing and operation practices applied

to individual ICT elements (products, services, and their components) become more difficult to trace

including identifying individuals accountable for quality and security of those elements. This creates a

general lack of traceability throughout the ICT supply chain which in turn results in higher risk of

— Compromise to acquirers’ information security and therefore to business operations through intentional

events such as malicious code insertion and presence of counterfeit products in the ICT supply chain

— Unintentional events, such as sloppy software development practices.

Both intentional and unintentional events may result in a compromise to acquirer’s data and operations

including intellectual property theft, data leakage, and reduced ability by acquirers to perform their

business functions. Any of these identified concerns, if they were to occur, can harm the reputation of

the organization, leading to further impacts such as loss of business.
5.3 Acquirer and supplier relationship types

ICT product and service acquirers and suppliers may involve multiple entities in a variety of supply

chain based relationships, including but not limited to:

a) ICT system management support where systems are owned by acquirer and managed by supplier;

b) ICT systems or services providers where systems or resources are owned and managed by the supplier;

c) Product development, design, engineering and build where supplier provides all or parts of the

service associated with creating ICT products;
d) Commercial-off-the-shelf product suppliers;
e) Open source product suppliers and distributors.

Acquirers’ level of risk and need for trust in supplier relationships increases when granting a supplier a

greater level of access to the acquirers’ information and information systems and acquirers’ dependency

on the supplied ICT products and services. For example, acquiring ICT system management support

has sometimes higher risk then acquiring open source or commercial off-the-shelf products. From the

supplier’s perspective, any compromises to the acquirer’s information can harm supplier reputation and

trust with the specific acquirer whose information and information systems have been compromised.

To help manage the uncertainty and risks associated with supplier relationships, acquirers and suppliers

should establish a dialogue and reach an understanding regarding mutual expectations about protecting

each other’s information and information systems.
© ISO/IEC 2013 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 27036-3:2013(E)
5.4 Organizational capability

To manage risks associated with the ICT supply chain throughout ICT products and services lifecycle,

acquirers and suppliers should implement an organizational capability for managing information

security aspects of supplier relationships. This capability should establish and monitor ICT supply chain

security objectives for the acquirer organization and monitor achievement of these objectives including

at least the following:

a) Define, select, and implement the strategy for management of information security risks caused by

ICT supply chain vulnerabilities:

1) Establish and maintain a plan for identifying potential ICT supply chain-related vulnerabilities

before they are exploited; in addition, have a plan for mitigating adverse impacts.

2) Identify and document information security risks associated with the ICT supply chain-related

threats, vulnerabilities, and consequences (see Clause 6.3.4).

b) Establish and adhere to baseline information security controls as a prerequisite to robust supplier

relationships (see Annex B for a mapping of Clause 6 to ISO/IEC 27002).

c) Establish and adhere to baseline system and software lifecycle processes and practices for

establishing robust supplier relationships in regards to ICT supply chain information security risk

management concerns (see Clause 6).

d) Have a set of baseline information security requirements that apply to all supplier relationships and

tailor them for specific suppliers as needed.

e) Establish a repeatable and testable process for establishing information security requirements

associated with new supplier relationships, managing existing supplier relationships, verifying and

validating that suppliers are complying with acquirer’s information security requirements, and

ending supplier relationships.

f) Establish change management processes to ensure changes that potentially affect information

security are approved and applied in a timely manner.

g) Define methods for identifying and managing incidents related to or caused by ICT supply chain and

for sharing information about the incidents with suppliers and acquirers.
5.5 System lifecycle processes

Lifecycle processes can help set expectations between acquirers and suppliers for rigor and accountability

with regards to information security. Acquirers can implement lifecycle processes internally, to increase

the rigor with which they establish and manage supplier relationships. Suppliers can implement lifecycle

processes to help demonstrate rigor that suppliers apply to system and software processes with respect

to supplier relationships. While having those processes in place will be helpful for both acquirers and

suppliers in beginning to address ICT supply chain risks, additional ICT supply chain security activities

should be integrated into those processes.

Systems and software present many of the ICT supply chain risks. Using a lifecycle approach provided

in ISO/IEC 15288 and ISO/IEC 12207 offers an established way of managing those risks. Both standards

provide a set of the same processes as they apply to the specific context of systems or software.

ISO/IEC 12207 is a special case of applying ISO/IEC 15288. Both standards allow for the use of any

lifecycle or lifecycle model and present a set of processes that can be used within any lifecycle or any

lifecycle phase as appropriate. For example, the Configuration Management process can be used both

during system or software development and in operations and maintenance lifecycle phases. This

standard adopts the same approach as those two standards, describing each process at a summary level

by a statement of purpose and then decomposing each process into practices.

Clause 5.8 provides a summary of specific ICT supply chain security practices. Clause 6 provides a

mapping of these ICT supply chain security activities for each lifecycle process. Acquirers and suppliers

should select those activities that are relevant to their organization’s supplier relationship capabilities,

4 © ISO/IEC 2013 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27036-3:2013(E)

as well as to individual supplier relationships, based on the level of risk presented by suppliers or

acquirers described in Clause 5.1.
5.6 ISMS processes in relation to system lifecycle processes

ISO/IEC 27001 provides a risk-based process for implementing an information security management

system (ISMS) within a defined scope. Existence of an ISMS within both acquirer and supplier

organizations will help acquirers and suppliers begin addressing ICT supply chain risks and realizing

the need for specific information security controls and processes needed to address these risks.

NOTE This assumes that the scope of the ISMS includes the specific part of the organization that establishes

and maintains acquirer and supplier relationships.

If an organization defines risks inherent in the ICT supply chain, specific controls that mitigate these

risks should be selected, potentially with extended controls added to ensure that the organization fully

addresses these risks. Clause 5.5 addresses use of information security controls. Annex B maps specific

information security controls to the individual lifecycle processes in Clause 6.

Suppliers can demonstrate to acquirers that they have a certain level of rigor through demonstrating

ISO/IEC 27001 conformance.

When acquirers and suppliers establish ISMSs according to ISO/IEC 27001, the information generated

should be used to communicate the status of information security management between an acquirer

and a supplier. This may include:
a) scope of the ISMS;
b) statement of applicability;
c) risk assessment procedures,
d) audit plan;
e) awareness programs;
f) incident management;
g) measurement programs;
h) information classification scheme;
i) change management;
j) other relevant specific controls applied.
5.7 ISMS information security controls in relation to ICT supply chain security

ISO/IEC 27002 includes a number of controls that specifically target external parties, including

suppliers. Clause 15 of ISO/IEC 27002 provides specific guidance for supplier relationships. These and

additional extended controls can be used within the context of the lifecycle processes to help acquirers

in validating specific supplier practices to ensure information security of acquirers’ information and

information systems.
Annex B maps specific ISO/IEC 27002 controls to individual lifecycle processes.
5.8 Essential ICT supply chain security practices

Some of the ICT supply chain risks can be addressed by applying the standards providing lifecycle

processes (ISO/IEC 15288 and ISO/IEC 12207), requirements for establishing ISMS (ISO/IEC 27001),

© ISO/IEC 2013 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 27036-3:2013(E)

and information security controls (ISO/IEC 27002). More detailed practices are required to fully address

these risks, such as:

a) Chain of custody: the acquirer and supplier have the confidence that each change and handoff made

during the element’s lifetime is authorized, transparent and verifiable;

b) Least privilege access: personnel can access critical information and information systems with only

the privileges needed to do their jobs;

c) Separation of duties: control the process of creation, modification, or deletion of data or the process

of development, operation, or removal of hardware and software by ensuring that no one person or

role alone can complete a task;

d) Tamper resistance and evidence: attempts to tamper are obstructed, and when they occur they are

evident and reversible;

e) Persistent protection: critical data and information are protected in ways that remain effective

even if the data or information are transferred from the location where it was created or modified;

f) Compliance management: the success of the protections within the agreement can be continually

and independently confirmed;

g) Code assessment and verification: methods for code inspection are applied and suspicious code is

detected;

h) ICT supply chain security training: organization’s ability to effectively train relevant personnel on

information security practices. This should include secure development practices, recognition of

tampering, etc., as appropriate;

i) Vulnerability assessment and response: a formal understanding by acquirer of how well their

suppliers are equipped with the capability to collect input on vulnerabilities from researchers,

customers, or sources, and produce a meaningful impact analysis and appropriate remedies in

the short timeframe involved. This should include acquirer and supplier agreement on systematic

repeatable vulnerability response processes;

j) Defined expectations: clear language regarding the requirements to be met by the element and

design/development environment is set forth in the agr
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.