ISO/IEC 27036-1:2014
(Main)Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts
Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts
ISO/IEC 27036-1:2014 is an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. ISO/IEC 27036-1:2014 addresses perspectives of both acquirers and suppliers.
Technologies de l'information — Techniques de sécurité — Sécurité d'information pour la relation avec le fournisseur — Partie 1: Aperçu général et concepts
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27036-1
First edition
2014-04-01
Information technology — Security
techniques — Information security for
supplier relationships —
Part 1:
Overview and concepts
Technologies de l’information — Techniques de sécurité — Sécurité
d’information pour la relation avec le fournisseur —
Partie 1: Aperçu général et concepts
Reference number
ISO/IEC 27036-1:2014(E)
©
ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC 27036-1:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27036-1:2014(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
5 Problem definition and key concepts . 4
5.1 Motives for establishing supplier relationships . 4
5.2 Types of supplier relationships . 4
5.3 Information security risks in supplier relationships and associated threats . 6
5.4 Managing information security risks in supplier relationships . 9
5.5 ICT supply chain considerations . 9
6 Overall ISO/IEC 27036 structure and overview .10
6.1 Purpose and Structure .10
6.2 Overview of Part 1: Overview and concepts .11
6.3 Overview of Part 2: Requirements .11
6.4 Overview of Part 3: Guidelines for Information and Communication Technology (ICT)
supply chain security .11
6.5 Overview of Part 4: Guidelines for security of cloud services .11
Bibliography .13
© ISO/IEC 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27036-1:2014(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27036-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
ISO/IEC 27036 consists of the following parts, under the general title Information technology — Security
techniques — Information security for supplier relationships:
— Part 1: Overview and concepts
— Part 2: Requirements
— Part 3: Guidelines for information and communication technology supply chain security
— Part 4: Guidelines for security of cloud services
iv © ISO/IEC 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27036-1:2014(E)
Introduction
Most (if not all) organizations around the world, whatever their size or domains of activities, have
relationships with suppliers of different kinds that deliver products or services.
Such suppliers can have either a direct or indirect access to the information and information systems
of the acquirer, or will provide elements (software, hardware, processes, or human resources) that
will be involved in information processing. Acquirers can also have physical and/or logical access to
the information of the supplier when they control or monitor production and delivery processes of the
supplier.
Thus, acquirers and suppliers can cause information security risks to each other. These risks need to
be assessed and treated by both acquirer and supplier organizations through appropriate management
of information security and the implementation of relevant controls. In many instances, organizations
have adopted the International Standards of ISO/IEC 27001 and/or ISO/IEC 27002 for the management
of their information security. Such International Standards should also be adopted in managing supplier
relationships in order to effectively control the information security risks inherent in those relationships.
This International Standard provides further detailed implementation guidance on the controls dealing
with supplier relationships that are described as general recommendations in ISO/IEC 27002.
Supplier relationships in the context of this International Standard include any supplier relationship that
can have information security implications, e.g. information technology, healthcare services, janitorial
services, consulting services, R&D partnerships, outsourced applications (ASPs), or cloud computing
services (such as software, platform, or infrastructure as a service).
Both the supplier and acquirer have to take equal responsibility to achieve the objectives in the supplier-
acquirer relationship and adequately address information security risks that can occur. It is expected
that they implement the requirements and guidelines of this International Standard. Furthermore,
fundamental processes should be implemented to support the supplier-acquirer relationship (e.g.
governance, business management, and operational and human resources management). These
processes will provide support in terms of information security as well as the accomplishment of
business objectives.
© ISO/IEC 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27036-1:2014(E)
Information technology — Security techniques —
Information security for supplier relationships —
Part 1:
Overview and concepts
1 Scope
This part of ISO/IEC 27036 is an introductory part of ISO/IEC 27036. It provides an overview of the
guidance intended to assist organizations in securing their information and information systems within
the context of supplier relationships. It also introduces concepts that are described in detail in the
other parts of ISO/IEC 27036. This part of ISO/IEC 27036 addresses perspectives of both acquirers and
suppliers.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions in ISO/IEC 27000 and the following apply.
3.1
acquirer
stakeholder that procures a product or service from another party
Note 1 to entry: Procurement may or may not involve the exchange of monetary funds.
[SOURCE: ISO/IEC 15288:2008, 4.1, modified — Original Note was removed, the word “acquires” was
removed from the definition, and Note 1 to entry was added.]
3.2
acquisition
process for obtaining a product or service
[SOURCE: ISO/IEC 15288:2008, 4.2, modified — The word “system” was removed.]
3.3
agreement
mutual acknowledgement of terms and conditions under which a working relationship is conducted
[SOURCE: ISO/IEC 15288:2008, 4.4]
© ISO/IEC 2014 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 27036-1:2014(E)
3.4
life cycle
evolution of a system, product, service, project, or other human-made entity from conception through
retirement
[SOURCE: ISO/IEC 15288:2008, 4.11]
3.5
downstream
handling processes and movements of products and services that occur after an entity in the supply
chain takes custody of the products and responsibility for services
[SOURCE: ISO 28001:2007, 3.10, modified — The word “goods” was replaced by “products and services”,
and the definition was changed to better reflect this change in focus.]
3.6
outsourcing
acquisition of services (with or without products) in support of a business function for performing
activities using supplier’s resources rather than the acquirer’s
3.7
process
set of interrelated or interacting activities which transforms inputs into outputs
[SOURCE: ISO 9000:2005, 3.4.1, modified — Notes were removed.]
3.8
stakeholder
individual or organization with interest in an asset in the supplier relationship
Note 1 to entry: For the purpose of this International Standard, an asset is information associated with products
and services.
3.9
supplier
organization or an individual that enters into agreement with the acquirer for the supply of a product
or service
Note 1 to entry: Other terms commonly used for supplier are contractor, producer, seller, or vendor.
Note 2 to entry: The acquirer and the supplier can be part of the same organization.
Note 3 to entry: Types of suppliers include those organizations that permit agreement negotiation with an acquirer
and those that do not permit negotiation with agreements, e.g. end-user license agreements, terms of use, or open
source products copyright or intellectual property releases.
[SOURCE: ISO/IEC 15288:2008, 4.30, modified — Note 3 to entry was added.]
3.10
supplier relationship
agreement or agreements between acquirers and suppliers to conduct business, deliver products or
services, and realize business benefit
2 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27036-1:2014(E)
3.11
supply chain
set of organizations with linked set of resources and processes, each of which acts as an acquirer,
supplier, or both to form successive supplier relationships established upon placement of a purchase
order, agreement, or other formal sourcing agreement
Note 1 to entry: A supply chain can include vendors, manufacturing facilities, logistics providers, distribution
centres, distributors, wholesalers, and other organizations involved in the manufacturing, processing, design
and development, and handling and delivery of the products, or service providers involved in the operation,
management, and delivery of the services.
Note 2 to entry: The supply chain view is relative to the position of the acquirer.
[SOURCE: ISO 28001:2007, 3.24, modified — The definition was changed to focus more on the organization
and relationships; Note 2 to entry was added.]
3.12
system
combination of interacting elements organized to achieve one or more stated purposes
Note 1 to entry: A system can be considered as a product or as the services it provides.
Note 2 to entry: In practice, the interpretation of its meaning is frequently clarified by the use of an associative
noun, e.g. aircraft system. Alternatively, the word “system” can be substituted simply by a context-dependent
synonym, e.g. aircraft, though this can then obscure a system principles perspective.
[SOURCE: ISO/IEC 15288:2008, 4.31]
3.13
trust
relationship between two entities and/or elements, consisting of a set of activities and a security policy
in which element x trusts element y if and only if x has confidence that y will behave in a well-defined
way (with respect to the activities) that does not violate the given security policy
[SOURCE: ISO/IEC 13888-1:2009, 3.59, modified — The note was removed.]
3.14
upstream
handling processes and movements of products and services that occur before an entity in the supply
chain takes custody of the products and responsibility for information and communication technology
(ICT) services
[SOURCE: ISO 28001:2007, 3.27, modified — The word “goods” was replaced by “products and services”,
and the definition was changed to better reflect this change in focus.]
3.15
visibility
property of a system or process that enables system elements and processes to be documented and
available for monitoring and inspection
4 Symbols and abbreviated terms
The following symbols and abbreviated terms are used in this International Standard:
API Application Programming Interface
ASP Application Service Provider
BCP Business Continuity Plan(ning)
BPaaS Business Process as a Service
© ISO/IEC 2014 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 27036-1:2014(E)
IaaS Infrastructure as a Service
ICT Information and Communication Technology
PaaS Platform as a Service
R&D Research & Development
SaaS Software as a Service
5 Problem definition and key concepts
5.1 Motives for establishing supplier relationships
Organizations often choose to form and/or retain supplier relationships for a variety of business reasons
to take advantage of the benefits they can provide. The following summarizes potential motivations for
establishing a supplier relationship:
a) Focusing internal resources on core business functions which can result in a cost reduction and
improved return on investment (e.g. outsourcing ICT services).
b) Acquiring a short-term or highly specialized competency that an organization does not already
possess (e.g., hiring an advertising firm) to achieve certain business objectives.
c) Acquiring a utility or basic service that is common or readily available (e.g. electric power and
telecommunications) that cannot efficiently be provided by the organization.
d) Enabling business operations in a different geographical location.
e) Acquiring new or replacement ICT equipment or services (e.g. laptops, printers, servers, routers,
software applications, storage capacity, network connectivity, ICT managing services etc.) that
enable workforce productivity and other business computing needs.
Suppliers can provide a multitude of products or services, including IT outsourcing, professional
services, basic utilities (equipment maintenance service, security guards service, cleaning and delivering
services etc.), cloud computing services, information and communication technology (ICT), knowledge
management, R&D, manufacturing, logistics, health care services, Internet services, and many others.
5.2 Types of supplier relationships
5.2.1 Supplier relationships for products
When an acquirer enters a supplier relationship for products, it typically purchases products with
agreed specifications for a predetermined period for manufacturing the acquirer’s products.
The supplier can have access to the acquirer’s information when delivering and supporting the product
which can result in information security risks to the acquirer’s information. Failures to fulfil requirements,
software vulnerabilities and malfunctions of products and inadvertent release of sensitive information
can also cause information security risks to the acquirer.
To manage these information security risks, the acquirer may wish to control supplier’s access to the
acquirer’s information. The acquirer may also wish to control elements of the supplier’s production
processes to maintain quality of the products and to reduce information security risks derived from
vulnerabilities, malfunctions or other failures to fulfil requirements. This, in turn, can pose information
security risks to the supplier because the acquirer can have access to the supplier’s information when
controlling elements of the supplier’s processes.
Further, the acquirer may wish to have assurances regarding the specification of products, by monitoring
or auditing of the production processes or requiring the supplier to obtain an independent certification
4 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27036-1:2014(E)
to demonstrate existence of good practices and required processes. These assurance requirements need
be agreed between the acquirer and supplier.
5.2.2 Supplier relationships for services
When an acquirer procures services, the supplier generally has access to the acquirer’s information. This
causes potential information security risks to the acquirer. In the case of business process outsourcing,
e.g. that of marketing, call centre operation or the organization’s ICT infrastructure, a significant
portion of the acquirer’s critical business information can be put under management of the supplier.
Other kinds of services have generally limited access to the acquirer’s information, such as food services
and janitorial services.
Delivery of some services requires the acquirer’s information to be located within acquirer’s premises
and to be accessed onsite or remotely by the supplier. In other cases, acquirer’s information is located at
the supplier’s site. These specific conditions can impact selection of controls applicable to the acquirer
or supplier. See Table 2 for examples of how location can have an impact on supplier’s accesses to the
acquirer’s information.
When acquiring services, acquirers should establish rules for how to control supplier access to acquirer’s
information. The acquirer may also wish to control the quality of the service to reduce information
security risks, including the ability to meet availability requirements over time. A service level agreement
is a general way of agreeing on the quality of service. For the supplier, a service level agreement can be a
tool for communicating how the supplier will satisfy quality expectations to the acquirer.
The acquirer may wish to have assurance regarding the quality of the service by monitoring or auditing
the supplier service processes or requiring the supplier to obtain a certification to demonstrate existence
of good practices or required processes. These assurance requirements need also be agreed between
the parties.
5.2.3 ICT supply chain
ICT supply chain is a set of organizations with a linked set of resources and processes that form successive
supplier relationships of ICT products and services. An ICT product or service can be composed of
components, resources and processes produced by a supplier which can have been produced, in whole
or in part, by another supplier. As such, an ICT service, in its entirety, may have been sourced by multiple
suppliers. As depicted in Figure 1, an organization in an ICT supply chain is an acquirer in relation to
the upstream organization, and a supplier in relation with downstream organization. The adjacent
downstream organization is often called a customer from the perspective of the organization that
provides products or services to it. The customer at the end of the ICT supply chain is referred to as an
end customer, or consumer. Generally, the end customer has limited control over their direct supplier’s
information security requirements and no control over information security requirements beyond the
direct supplier.
© ISO/IEC 2014 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 27036-1:2014(E)
End
Supplier’s
Supplier’s Customer
Supplier’s Supplier Acquirer Customer
Suppliers
Suppliers
(Consumer)
. . Tier 2 Tier 1
Organization
Upstream Downstream
From Sourcing to Completion
Figure 1 — Supply Chain Relationships
Acquirers and suppliers throughout the ICT supply chain inherit information security risks associated
with individual supplier relationships for products and services (see 5.2.1 and 5.2.2). However, it
is challenging for acquirers to manage these information security risks through communicating,
monitoring, and enforcing their information security throughout the ICT supply chain due to limited
visibility into and access to their suppliers’ suppliers.
5.2.4 Cloud computing
Cloud computing is a form of a supplier relationship, in that, a cloud computing service, in its entirety, may
have been sourced from multiple suppliers. The purpose of cloud computing is to enable utility-based or
per-use computing and storage services and capabilities based on business requirements for scalability,
availability and elasticity service expectations. In a cloud computing service, a supplier is commonly
referred to as the cloud service provider and the acquirer referred to as the cloud service customer.
In some cases, the cloud service provider delegates the management or control over components,
resources and processes to the cloud service customer in an environment potentially shared with other
cloud service customers, commonly referred to as a multi-tenant cloud environment. ICT supply chain
security considerations also apply when cloud computing services form an ICT supply chain, e.g., when
a customer uses a SaaS built on top of IaaS.
5.3 Information security risks in supplier relationships and associated threats
Information security risks in supplier relationships are a matter of concern, not only for the acquirer and
supplier, but also for customers and other interested parties. It is a question of trust in business activities
in society. Both the supplier and acquirer should consider the inherent and residual information security
risks associated with establishing a supplier relationship.
Acquirer and supplier are equally responsible for making their agreement trustworthy and for managing
their information security risks which includes establishing delineated roles and responsibility for
information security and implementation of controls.
Each supplier relationship within an organization is established for a specific purpose. The number of
such relationships is likely to grow over time resulting in those relationships not being well managed
or controlled by acquirers. Specifically, large organizations tend to have a significant number of
supplier relationships that were established by different internal entities using a variety of processes
6 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 27036-1:2014(E)
and arrangements. Many of these relationships have extended supply chains with multiple layers. This
multiplicity can result in making it increasingly more difficult for an organization to ensure that the
information security risks created by those supplier relationships are appropriately addressed.
The supply and support of a product or service can be dependent upon either the acquirer or supplier
transfer of information and/or information systems to the other party. This information needs to be
appropriately protected through establishing an agreement among acquirers and suppliers. This
agreement should state the mutually acceptable set of controls and responsibility for implementation.
Lack of such agreement may have an impact on acquirer’s or supplier’s information security in the
following ways:
a) Disparate acquirer and supplier information security governance, risk tolerance and compliance
practices or different cultural or organizational attitudes resulting in gaps in security requirements
and controls between acquirer and supplier.
b) Reliance on supplier’s services and capabilities designed to ensure compliance with acquirer‘s own
information security requirements resulting in unintended controls dependencies.
c) Conflicting or different acquirer and supplier information security controls that interfere or weaken
the information security of the other party.
Supplier relationships may create a number of information security risks for both acquirers and
suppliers. The following are examples of such risks that should be considered throughout the life cycle
of a supplier relationship – from planning to termination:
a) Lack or weakness of governance:
1) Acquirers lose control over how their information is stored, processed, transmitted, created,
modified and destroyed.
2) Suppliers, unless specifically prohibited by the agreement, may outsource a subset of resources
and processes to another supplier, thus reducing or limiting the acquirer’s control, and
potentially exposing the acquirer to further risks.
b) Miscommunication and misunderstanding:
1) Controls put in place by the supplier do not address the risks identified by the acquirer, leaving
the acquirer vulnerable to risks presumed to be addressed and managed by the supplier.
2) Confidentiality, integrity and availability requirements of the acquirer may not be communicated
properly to the suppler and hence not correctly met.
3) Requirements concerning availability/BCP for information or information systems that support
the on-time and on-delivery of products or services by the supplier to the acquirer cannot be
specified, leading to interruptions in supply.
4) Suppliers fail to allocate sufficient resources, including skilled staff, to protect the acquirer’s
information.
c) Geographical, social and cultural differences:
1) The acquirer is inadvertently in breach of legislation or regulation, leading to reputational
damage and financial penalties.
2) Reference to a law or a standard as a requirement in an agreement allows for misinterpretation
by acquirer and supplier which results in a dispute.
3) The service is provided in a location either unknown to or not permitted by the acquirer, leading
to violations of acquirer’s regulatory or compliance requirements.
Specific information security risks to acquirer’s and/or supplier’s information and information systems
can be directly correlated with inadequate control awareness, ownership and accountability. Such risks
© ISO/IEC 2014 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO/IEC 27036-1:2014(E)
may be applicable to the supply of both products and services. Table 1 provides examples of information
security risks related to acquiring products. Information security risks associated with services are
usually caused by supplier access to information or information systems. Table 2 provides examples of
risks related to supplier’s access to acquirer’s information and information systems.
Table 1 — Example information security risks for acquiring products
No. Type Description
Information secu- In the case where supplied products have a vulnerability, the acquirer’s derived
1
rity feature products, services or proce
...
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27036-1
ISO/IEC JTC 1 Secretariat: ANSI
Voting begins on Voting terminates on
2013-01-17 2013-04-17
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION • МЕЖДУНАРОДНАЯ ОРГАНИЗАЦИЯ ПО СТАНДАРТИЗАЦИИ • ORGANISATION INTERNATIONALE DE NORMALISATION
INTERNATIONAL ELECTROTECHNICAL COMMISSION • МЕЖДУНАРОДНАЯ ЭЛЕКТРОТЕХНИЧЕСКАЯ КОММИСИЯ • COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE
Information technology — Security techniques — Information
security for supplier relationships —
Part 1:
Overview and concepts
Technologies de l'information — Techniques de sécurité — Sécurité d'information pour la relation avec le
fournisseur —
Partie 1: Aperçu général et concepts
ICS 35.040
To expedite distribution, this document is circulated as received from the committee
secretariat. ISO Central Secretariat work of editing and text composition will be undertaken at
publication stage.
Pour accélérer la distribution, le présent document est distribué tel qu'il est parvenu du
secrétariat du comité. Le travail de rédaction et de composition de texte sera effectué au
Secrétariat central de l'ISO au stade de publication.
THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE
REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH.
R PURPOSES,
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USE
DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME
STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION.
International Organization for Standardization, 2013
©
International Electrotechnical Commission, 2013
---------------------- Page: 1 ----------------------
ISO/IEC DIS 27036-1
Copyright notice
This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted
under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be
reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic,
photocopying, recording or otherwise, without prior written permission being secured.
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's
member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
ii © ISO/IEC 2013 — All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 27036-1
Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
5 Problem definition and key concepts . 3
5.1 Motives for establishing supplier relationships . 3
5.2 Types of supplier relationships . 4
5.2.1 Supplier relationships for products . 4
5.2.2 ICT supply chain . 5
5.2.3 Cloud computing . 5
5.3 Information security risks in supplier relationships and associated threats . 6
5.4 Managing information security risks in supplier relationships . 8
5.5 ICT supply chain considerations . 9
6 Overall ISO/IEC 27036 structure and overview . 10
6.1 Purpose and Structure . 10
6.2 Overview of Part 1: Overview and concepts . 10
6.3 Overview of Part 2: Requirements . 10
6.4 Overview of Part 3: Guidelines for Information and Communication Technology (ICT)
supply chain security . 10
6.5 Overview of Part 4: Guidelines for security of cloud services . 11
Bibliography . 12
© ISO/IEC 2012 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 27036-1
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27036-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
ISO/IEC 27036 consists of the following parts, under the general title Information technology — Security
techniques — Information security for supplier relationships:
⎯ Part 1: Overview and concepts
⎯ Part 2: Requirements
⎯ Part 3: Guidelines for Information and Communication Technology (ICT) supply chain security
— Part 4: Guidelines for security of cloud services.
iv © ISO/IEC 2012 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 27036-1
Introduction
Most (if not all) organizations around the world, whatever their size or domains of activities, have relationships
with suppliers of different kinds that deliver products or services.
Such suppliers may have either a direct or indirect access to the information and information systems of the
acquirer, or will provide elements (software, hardware, processes or human resources) that will be involved in
information processing. Acquirers may also have physical and/or logical access to the information of the
supplier when they control or monitor production and delivery processes of the supplier.
Thus, acquirers and suppliers can cause information security risks to each other. These risks need to be
assessed and treated by both acquirer and supplier organizations through appropriate management of
information security and the implementation of relevant controls. In many instances, organizations have
adopted the International Standards of ISO/IEC 27001 and/or ISO/IEC 27002 for the management of their
information security. Such International Standards should also be adopted in managing supplier relationships
in order to effectively control the information security risks inherent in those relationships.
This International Standard provides further detailed implementation guidance on the controls dealing with
supplier relationships that are described as general recommendations in ISO/IEC 27002.
Supplier relationships in the context of this International Standard include any supplier relationship that can
have information security implications, e.g., janitorial services, consulting services, R&D partnerships,
outsourced applications (ASPs) or cloud computing services (such as Software, Platform or Infrastructure as a
Service).
This International Standard describes the information security issues from both the acquirer’s and supplier’s
perspectives. Both the supplier and acquirer are expected to implement a number of fundamental processes
(e.g. governance, business management, operational and human resources management) that support the
accomplishment of business objectives and the achievement of objectives in the supplier / acquirer
relationship to adequately address information security risks in accordance with the requirements and
guidelines of this International Standard.
© ISO/IEC 2012 – All rights reserved v
---------------------- Page: 5 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27036-1
Information technology — Security techniques — Information
security for supplier relationships — Part 1: Overview and
concepts
1 Scope
This international standard is an introductory part of the multipart standard, ISO/IEC 27036, Information
Security for Supplier Relationships. This standard, which is Part 1 of the multipart standard, provides an
overview of the guidance intended to assist organizations in securing their information and information
systems within the context of supplier relationships. It also introduces concepts that will be described in detail
in the other parts of the ISO/IEC 27036. This standard addresses perspectives of both acquirers and suppliers.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000, Information technology -- Security techniques -- Information security management systems —
Overview and vocabulary
ISO/IEC 27001, Information technology – Security techniques – Information security management systems —
Requirements
ISO/IEC 27002, Information technology – Security techniques – Code of practice for information security
controls
ISO/IEC 27005, Information technology – Security techniques – Information security risk management
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
3.1
acquirer
organization or an individual that procures a product or service from another party [adopted from ISO/IEC
15288]
NOTE 1 Stakeholder is an organization or an individual when used in ISO/IEC 27036.
NOTE 2 Procurement may or may not involve the exchange of monetary funds.
3.2
acquisition
the process for obtaining a product or service [adopted from ISO/IEC 15288]
© ISO/IEC 2012 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC DIS 27036-1
3.3
agreement
mutual acknowledgement of terms and conditions under which a working relationship is conducted [ISO/IEC
15288]
3.4
lifecycle
evolution of a system, product, service, project or other human-made entity from conception through
retirement [ISO/IEC 15288]
3.5
downstream
refers to the handling, processes and movements of products and services that occur after an entity in the
supply chain takes custody of the products and responsibility for services [adopted from ISO 28001]
3.6
outsourcing
acquisition of services (with or without products) in support of a business function for performing activities
using supplier’s resources rather than the acquirer’s
3.7
process
set of interrelated or interacting activities which transforms inputs into outputs [ISO 9000:2005]
3.8
supplier
organization or an individual that enters into agreement with another party for the supply of a product or
service [ISO/IEC 15288]
NOTE Types of suppliers include those organizations that permit agreement negotiation with an acquirer and those
that do not permit negotiation with agreements, e.g., end-user license agreements, terms of use, or open source products
copyright or intellectual property releases.
3.9
supplier relationship
agreement or agreements between acquirers and suppliers to conduct business, deliver products or services
and realize business benefit
3.10
supply chain
set of organizations with linked set of resources and processes, each of which acts as an acquirer, supplier or
both to form successive supplier relationships established upon placement of a purchase order, agreement or
other formal sourcing agreement [adopted from ISO 28001]
NOTE 1 A supply chain can include vendors, manufacturing facilities, logistics providers, distribution centers,
distributors, wholesalers and other organizations involved in the manufacturing, processing, design and development,
handling and delivery of the products, or service providers involved in the operation, management and delivery of the
services.
NOTE 2 The supply chain view is relative to the position of the acquirer.
3.11
system
combination of interacting elements organized to achieve one or more stated purposes
NOTE 1 A system can be considered as a product or as the services it provides.
NOTE 2 In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun, e.g.,
aircraft system. Alternatively, the word “system” may be substituted simply by a context-dependent synonym, e.g., aircraft,
though this can then obscure a system principles perspective. [ISO/IEC 15288]
2 © ISO/IEC 2012 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC DIS 27036-1
3.12
trust
relationship between two entities and/or elements, consisting of a set of activities and a security policy in
which element ‘x’ trusts element ‘y’ if and only if ‘x’ has confidence that ‘y’ will behave in a well-defined way
(with respect to the activities) that does not violate the given security policy [adopted from ISO/IEC 10181-1,
3.3.28, ISO/IEC 13888-1]
3.13
upstream
refers to the handling, processes and movements of products and services that occur before an entity in the
supply chain takes custody of the products and responsibility for ICT services [adopted from ISO 28001]
3.14
visibility
property of a system or process that enables system elements and processes to be documented and available
for monitoring and inspection
4 Symbols and abbreviated terms
The following symbols (and abbreviated terms) are used in this standard:
ICT Information and Communication Technologies
RFP Request for Proposal
ASP Application Service Provider
SaaS Software as a Service
PaaS Platform as a Service
IaaS Infrastructure as a Service
BPaaS Business Process as a Service
BCP Business Continuity Plan(ning)
R&D Research & Development
NDA Non-Disclosure Agreement
5 Problem definition and key concepts
5.1 Motives for establishing supplier relationships
Organizations often choose to form and/or retain supplier relationships for a variety of business reasons to
take advantage of the benefits they can provide. The following summarizes potential motivations for
establishing a supplier relationship:
a) Focusing internal resources on core business functions which can result in a cost reduction and improved
return on investment (e.g., outsourcing IT services).
b) Acquiring a short-term or highly specialized competency that an organization does not already possess
(e.g., hiring an advertising firm).
© ISO/IEC 2012 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC DIS 27036-1
c) Acquiring a utility or basic service that is common or readily available (e.g., electric power and
telecommunications).
d) Enabling business operations in a different geographical location.
e) Acquiring new or replacement ICT equipment or services (e.g. laptops, printers, servers, routers).
Suppliers can provide a multitude of products or services, including IT outsourcing, professional services,
basic utilities (equipment maintenance service, security guards service, cleaning and delivering services etc.),
cloud computing services, Information and Telecommunication Technology (ICT), knowledge management,
R&D, manufacturing, logistics, health care services, Internet services, and many others.
5.2 Types of supplier relationships
5.2.1 Supplier relationships for products
When an acquirer enters a supplier relationship for products, it typically purchases products with agreed
specifications for a predetermined period for manufacturing the acquirer’s products.
The supplier may have access to the acquirer’s information when delivering and supporting the product which
can result in information security risks to the acquirer’s information. These risks can include failures to fulfil
requirements, software vulnerabilities, malfunctions, inadvertent release of sensitive information, or other
causes.
To manage these information security risks, the acquirer may wish to control supplier’s access to the
acquirer’s information. The acquirer may also wish to control elements of the supplier’s production processes
to maintain quality of the products and to reduce information security risks derived from vulnerabilities,
malfunctions or other failures to fulfil requirements. This, in turn, can pose information security risks to the
supplier because the acquirer may have access to the supplier’s information when controlling elements of the
supplier’s processes.
Further, the acquirer may wish to have assurances regarding the specification of products, by
monitoring or auditing of the production processes or requiring the supplier to obtain an independent
certification to demonstrate existence of good practices and required processes. These assurance
requirements need be agreed between the parties.5.2.2 Supplier relationships for services
When an acquirer procures services, the supplier generally has access to the acquirer’s information. This
causes potential information security risks to the acquirer. In the case of business process outsourcing, e.g.,
that of marketing, call centre operation or the organization’s ICT infrastructure, a significant portion of the
acquirer’s critical business information can be put under management of the supplier. Other kinds of services
have generally limited access to the acquirer’s information, such as food services and janitorial services.
Delivery of some services may require the acquirer’s information to be located within acquirer’s premises and
to be accessed onsite or remotely by the supplier. In other cases, acquirer’s information may be located at the
supplier’s site. These specific conditions can impact selection of controls applicable to the acquirer or supplier.
See Table 1 for examples of how location may have an impact supplier accesses to acquirer information.
When acquiring services, acquirers should establish rules for how to control supplier access to acquirer’s
information. The acquirer may also wish to control the quality of the service to reduce information security
risks including ability to meet availability requirements over time. Service level agreement is a general way of
agreeing on the quality of service. For the supplier, service level agreement can be a tool for communicating
how the supplier will satisfy quality expectations to the acquirer.
The acquirer may wish to have assurance regarding the quality of the service by monitoring or auditing the
supplier service processes or requiring the supplier to obtain certification to demonstrate existence of good
practices or required processes. These assurance requirements need also be agreed between the parties.
4 © ISO/IEC 2012 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC DIS 27036-1
5.2.2 ICT supply chain
ICT supply chain is a set of organizations with a linked set of resources and processes that form successive
supplier relationships of ICT products and services. An ICT product or service can be composed of
components, resources and processes produced by a supplier which may have been produced, in whole or in
part, by another supplier. As such, an ICT service, in its entirety, may have been sourced by multiple suppliers.
As depicted in Figure 1, an organization in an ICT supply chain is an acquirer in relation to the upstream
organization, and a supplier in relation with downstream organization. The adjacent downstream organization
is often called a customer from the perspective of the organization that provides products or services to it. The
customer at the end of the ICT supply chain is referred to as an end customer, or consumer, and in general,
does not have control over or dictate the supplier’s information security requirements.
Figure 1 — Supply Chain Relationships
ICT supply chain inherits each of information security risks of the supplier relationships for products
and services (see 5.2.1 and 5.2.2). Additionally, ICT supply chain poses specific information security
risks to the acquirers and suppliers participating in the ICT supply chain. Lack of direct management of
suppliers or other suppliers in the supply chain can introduce additional information security risks to the
acquirer and intermediate suppliers. The acquirer’s enforcement of the source suppliers’ controls can be
more difficult in an ICT supply chain environment. This requires a management and communication between
acquirers and suppliers within the ICT supply chain context to appropriately manage the information
security risks.
5.2.3 Cloud computing
Cloud computing is a form of a supplier relationship, in that, a cloud computing service, in its entirety, may be
sourced from multiple suppliers. The purpose of cloud computing is to enable utility based or per-use compute
and storage services and capabilities based on business requirements for scalability, availability and elasticity
service expectations. In a cloud computing service, a supplier is commonly referred to as the cloud service
provider and the acquirer referred to as the cloud service customer. In some cases, the cloud service provider
delegates the management or control over components, resources and processes to the cloud service
customer in an environment potentially shared by another cloud service customer, commonly referred to as a
multi-tenant cloud environment. Similarly to general ICT supply chain, it is therefore incumbent upon both the
supplier and acquirer to manage information security risks introduced as a result of a shared compute and
storage model in the ICT supply chain involving any of the cloud service delivery model, i.e., IaaS, PaaS and
SaaS.
© ISO/IEC 2012 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC DIS 27036-1
5.3 Information security risks in supplier relationships and associated threats
Information security risks in supplier relationships are a matter of concern, not only for the acquirer and
supplier, also for customers and other interested parties. It is a question of trust in business activities in
society. Both the supplier and acquirer should consider the inherent and residual information security risks
associated with establishing a supplier relationship.
Acquirer and supplier are equally responsible for making their agreement trustworthy and for managing their
information security risks which includes establishing delineated roles and responsibility for information
security and implementation of controls.
While each supplier relationship of an organization is established for a specific purpose, the number of such
relationships tends to grow over time and are not always well managed or controlled by acquirers. Specifically,
large organizations tend to have a significantly high number of supplier relationships that were established by
different internal entities using a variety of processes and arrangements. Within many of these supplier
relationships also exist multiple layers of the supply chain. This multiplicity can result in making it increasingly
more difficult for an organization to ensure that the information security risks created by those supplier
relationships have been appropriately addressed.
The supply and support of a product or service may be dependent upon either the acquirer or supplier transfer
of information and/or information systems to the other party, resulting in the lack of clarity and impacts of the
effectiveness of either organizations’ established information security management and controls
implementation. When an organization establishes a supplier relationship, the acquirer and supplier should
agree on a mutually acceptable set of controls and responsibility for implementation; otherwise, they may
experience the following:
a) Gaps in controls due to different information security requirements possibly related to different
governance, risk tolerance and compliance practices or different cultural or organizational attitudes
between the acquirer and supplier.
b) Control dependencies due to reliance upon external business capabilities designed to ensure the
compliance with acquirer’s own information security requirements.
c) Conflicting or different controls that interfere or weaken the acquirer’s information security.
These and other concerns should be considered throughout the lifecycle of a supplier relationship – from
relationship planning to termination exit to address the following information security risks:
a) Lack or weakness of governance:
1) Acquirers lose control over how their information is stored, processed, transmitted, created, modified
and destroyed.
2) Suppliers, unless specifically included in the agreement, may outsource a subset of resources and
processes to another supplier, thus reducing or limiting the acquirer’s control, and potentially
exposing the acquirer to further risk and / or exposure.
b) Miscommunication and misunderstanding:
1) Controls put in place by the supplier do not address the risks identified by the acquirer, leaving the
acquirer vulnerable to risks presumed to be addressed and managed by the supplier.
2) Confidentiality, integrity and availability requirements of the acquirer may not be communicated
properly to the suppler and hence not correctly met.
3) Requirements concerning availability / BCP for information or information systems that support the
on-time and on-delivery of products or services by the supplier to the acquirer cannot be specified,
leading to interruptions in supply.
6 © ISO/IEC 2012 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC DIS 27036-1
4) Suppliers fail to allocate sufficient resources, including skilled staff, to protect the acquirer’s
information.
c) Geographical, social and cultural differences:
1) The acquirer is inadvertently in breach of legislation or regulation, leading to reputational damage
and financial penalties.
2) Reference to a law or a standard as a requirement in an agreement allows for misinterpretation by
acquirer and supplier and subsequent dispute.
3) Acquirer may delegate responsibility for information security and implementation of controls in an
agreement while still accountable, thus putting the acquirer’s goodwill at risk in event of a security
breach on the supplier side.
4) The service can be provided in a location either unknown or not permitted by the acquirer, leading to
breaches of legislation or regulation.
Specific information security risks to acquirer’s and/or supplier’s information and information systems can be
directly correlated with inadequate control awareness, ownership and accountability. Examples of such issues
may be applicable to the supply of both products and services.
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.