iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC FDIS 27036-3

(Main)

Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security

Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security

This part of ISO/IEC 27036 provides product and service acquirers and suppliers of hardware, software, and services with guidance on: a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains; b) responding to risks stemming from this physically dispersed and multi-layered hardware, software, and services supply chain that can have an information security impact on the organizations using these products and services. c) integrating information security processes and practices into the system and software life cycle processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security controls, described in ISO/IEC 27002. This part of ISO/IEC 27036 does not include business continuity management/resiliency issues involved with the hardware, software, and services supply chain. ISO/IEC 27031 addresses Information and communication technology readiness for business continuity

Cybersécurité — Relations avec le fournisseur — — Partie 3: Lignes directrices pour la sécurité de la chaîne de fourniture en matériel, logiciels et services

General Information

Status
Not Published
ICS
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Current Stage
5020 - FDIS ballot initiated: 2 months. Proof sent to secretariat
Start Date
08-Feb-2023
Completion Date
08-Feb-2023
Ref Project

Relations

Revises
ISO/IEC 27036-3:2013 - Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for information and communication technology supply chain security
Effective Date
06-Jun-2022

Buy Standard

REDLINE ISO/IEC FDIS 27036-3 - Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security Released:25. 01. 2023REDLINE ISO/IEC FDIS 27036-3 - Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security Released:25. 01. 2023
PreviousNext
Draft
REDLINE ISO/IEC FDIS 27036-3 - Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security Released:25. 01. 2023
English language
35 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC FDIS 27036-3 - Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security Released:25. 01. 2023ISO/IEC FDIS 27036-3 - Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security Released:25. 01. 2023
PreviousNext
Draft
ISO/IEC FDIS 27036-3 - Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security Released:25. 01. 2023
English language
35 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

© ISO/IEC 2022 – All rights reserved
Date: 2023-01-25 Style Definition: Emphasis
ISO/IEC JTC 1/SC 27 N Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
Date: FDIS 27036-3:2022-07-19(E)
Formatted: English (United Kingdom)
ISO/IEC DIS 27036-3
Formatted: English (United Kingdom)
ISO/IEC JTC 1/SC 27/WG 4
Formatted: English (United Kingdom)
Secretariat: DIN
Formatted: English (United Kingdom)

Cybersecurity –— Supplier relationships –— Part 3: Guidelines for hardware, software,

and services supply chain security Formatted: English (United Kingdom)
---------------------- Page: 1 ----------------------
© ISO/IEC 2022 – All rights reserved
Copyright notice
This
---------------------- Page: 2 ----------------------
ISO/IEC DISFDIS 27036-3:20222023(E)
Formatted: Font: Cambria
Formatted: Font: Cambria
Formatted: Font: Cambria

© ISO document is a Draft International Standard and is copyright-protected by ISO. Except as Formatted: English (United Kingdom)

permitted under 2023

All rights reserved. Unless otherwise specified, or required in the applicable lawscontext of the user's

Formatted: English (United Kingdom)

country, neither its implementation, no part of this ISO draft nor any extract from itpublication may

Formatted: English (United Kingdom)

be reproduced, stored in a retrieval system or transmitted or utilized otherwise in any form or by any

Formatted: English (United Kingdom)

means, electronic, or mechanical, including photocopying, recording or otherwiseor posting on the

internet or an intranet, without prior written permission being secured.
Formatted: English (United Kingdom)
Formatted: English (United Kingdom)

Requests for permission to reproduce should. Permission can be addressed torequested from

Formatted: English (United Kingdom)

either ISO at the address below or ISO's member body in the country of the requester.

Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
ISO copyright officeCopyright Office
Formatted: English (United Kingdom)
Case postale 56 • CP 401 • CH-12111214 Vernier, Geneva 20
Formatted: Indent: Left: 14.2 pt, Right: 14.2 pt, Space
After: 12 pt, Line spacing: At least 12 pt, Adjust space
between Latin and Asian text, Adjust space between Asian
Tel.Phone: + 41 22 749 01 11
text and numbers
Formatted: English (United Kingdom)
Fax + 41 22 749 09 47
Formatted: English (United Kingdom)
E-mail copyright@iso.org Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
Web www.iso.org
Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
Reproduction may be subject to royalty payments or a licensing agreement.
Formatted: English (United Kingdom)
Violators may be prosecuted.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
Formatted: Font: Cambria
Formatted: Font: Cambria
Formatted: Font: Cambria
iv © ISO/IEC 20222023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC DISFDIS 27036-3:20222023(E)
Formatted: Font: Cambria, English (South Africa)
Formatted: Font: Cambria, English (South Africa)
Formatted: Font: Cambria, English (South Africa)
Formatted: Font: Cambria
Formatted: English (United Kingdom)
Contents Page

Foreword..............................................................................................................................................................v

Introduction.......................................................................................................................................................vi Formatted: Highlight

Foreword ........................................................................................................................................................ 9

Introduction .............................................................................................................................................................. 10

1 Scope ................................................................................................................................................................ 1

2 Normative references ................................................................................................................................ 1

3 Terms and definitions ................................................................................................................................ 1

4 Structure......................................................................................................................................................... 2

5 Key concepts ................................................................................................................................................. 3

5.1 Business case for hardware, software, and services supply chain security ............................. 3

5.2 Hardware, software, and services supply chain risks and associated threats ........................ 3

5.3 Acquirer and supplier relationship types ........................................................................................... 3

5.4 Organizational capability .......................................................................................................................... 4

5.5 System life cycle processes ....................................................................................................................... 5

5.6 ISMS processes in relation to system life cycle processes .............................................................. 6

5.7 ISMS controls in relation to hardware, software, and services supply chain security .......... 6

5.8 Essential hardware, software, and services supply chain security practices .......................... 7

6 Hardware, software, and services supply chain security in life cycle processes .................... 8

6.1 Agreement processes ................................................................................................................................. 8

6.1.1 Acquisition process ..................................................................................................................................... 8

6.1.2 Supply process ............................................................................................................................................ 10

6.2 Organizational project-enabling processes ...................................................................................... 12

6.2.1 Life cycle model management process ............................................................................................... 12

6.2.2 Infrastructure management process .................................................................................................. 13

6.2.3 Project portfolio management process .............................................................................................. 13

6.2.4 Human resource management process .............................................................................................. 13

6.2.5 Quality management process ................................................................................................................ 14

6.2.6 Knowledge management process ......................................................................................................... 15

6.3 Technical management processes ....................................................................................................... 15

6.3.1 Project planning process ......................................................................................................................... 15

6.3.2 Project assessment and control process ............................................................................................ 15

6.3.3 Decision management process .............................................................................................................. 16

6.3.4 Risk management process ...................................................................................................................... 16

6.3.5 Configuration management process ................................................................................................... 17

6.3.6 Information management process ....................................................................................................... 18

6.3.7 Measurement process .............................................................................................................................. 18

6.3.8 Quality assurance process ...................................................................................................................... 18

6.4 Technical processes .................................................................................................................................. 18

6.4.1 Business or mission analysis process ................................................................................................. 18

6.4.2 Stakeholder needs and requirements definition process ............................................................ 19

Formatted: Font: Cambria, Not Bold

6.4.3 System requirements definition process ........................................................................................... 19

Formatted: Font: Cambria, Not Bold

6.4.4 System architecture definition process.............................................................................................. 20

Formatted: Font: Cambria

6.4.5 Design definition process ....................................................................................................................... 21

Formatted: Font: Cambria
© ISO/IEC 20222023 – All rights reserved v
---------------------- Page: 4 ----------------------
ISO/IEC DISFDIS 27036-3:20222023(E)
Formatted: Font: Cambria
Formatted: Font: Cambria
Formatted: Font: Cambria

6.4.6 System analysis process .......................................................................................................................... 22

6.4.7 Implementation process ......................................................................................................................... 22

6.4.8 Integration process ................................................................................................................................... 23

6.4.9 Verification process .................................................................................................................................. 23

6.4.10 Transition process .................................................................................................................................... 24

6.4.11 Validation process ..................................................................................................................................... 25

6.4.12 Operation process ..................................................................................................................................... 26

6.4.13 Maintenance process ................................................................................................................................ 26

6.4.14 Disposal process ........................................................................................................................................ 27

Annex A (informative) Correspondence between controls in ISO/IEC 27002 and this

document ...................................................................................................................................................... 29

Table A.1 — Correspondence between controls in ISO/IEC 27002 and this document .................... 29

Annex B (informative) Essential elements of a software bill of materials ........................................... 32

B.1 General .......................................................................................................................................................... 32

B.1.1 Overview ....................................................................................................................................................... 32

B.1.2 Audience ....................................................................................................................................................... 32

B.2 Essential SBoM elements ......................................................................................................................... 33

B.2.1 Overview ....................................................................................................................................................... 33

B.2.2 Author ........................................................................................................................................................... 33

B.2.3 Timestamp ................................................................................................................................................... 33

B.2.4 Lifecycle ........................................................................................................................................................ 33

B.2.5 Supplier name ............................................................................................................................................. 34

B.2.6 Component name ....................................................................................................................................... 34

B.2.7 Version .......................................................................................................................................................... 34

B.2.8 Cryptographic hash ................................................................................................................................... 34

B.2.9 Unique identifier ........................................................................................................................................ 34

B.2.10 Relationship ................................................................................................................................................ 35

B.2.11 Source ............................................................................................................................................................ 35

B.3 Essential SBoM processes ....................................................................................................................... 36

B.3.1 Overview ....................................................................................................................................................... 36

B.3.2 Frequency ..................................................................................................................................................... 36

B.3.3 Depth and extent ........................................................................................................................................ 36

B.3.4 Availability ................................................................................................................................................... 36

B.3.5 Errors in SBoMs .......................................................................................................................................... 36

B.3.6 Non-repudiation ......................................................................................................................................... 36

Bibliography .............................................................................................................................................................. 38

1 Scope ................................................................................................................................................................ 1

Formatted: Font: Cambria

2 Normative references ................................................................................................................................. 1

Formatted: Font: Cambria
Formatted: Font: Cambria
vi © ISO/IEC 20222023 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC DISFDIS 27036-3:20222023(E)
Formatted: Font: Cambria, English (South Africa)
Formatted: Font: Cambria, English (South Africa)
Formatted: Font: Cambria, English (South Africa)
Formatted: Font: Cambria

3 Terms and definitions ................................................................................................................................ 1

4 Structure......................................................................................................................................................... 2

5 Key concepts ................................................................................................................................................. 3

5.1 Business case for hardware, software, and services supply chain security ............................. 3

5.2 Hardware, software, and services supply chain risks and associated threats ........................ 3

5.3 Acquirer and supplier relationship types ........................................................................................... 3

5.4 Organizational capability .......................................................................................................................... 4

5.5 System life cycle processes ....................................................................................................................... 5

5.6 ISMS processes in relation to system life cycle processes .............................................................. 6

5.7 ISMS controls in relation to hardware, software, and services supply chain security .......... 6

5.8 Essential hardware, software, and services supply chain security practices .......................... 7

6 Hardware, software, and services supply chain security in life cycle processes .................... 8

6.1 Agreement processes ................................................................................................................................. 8

6.1.1 Acquisition process ..................................................................................................................................... 8

6.1.2 Supply process ............................................................................................................................................ 10

6.2 Organizational project-enabling processes ...................................................................................... 12

6.2.1 Life cycle model management process ............................................................................................... 12

6.2.2 Infrastructure management process .................................................................................................. 13

6.2.3 Project portfolio management process .............................................................................................. 13

6.2.4 Human resource management process .............................................................................................. 13

6.2.5 Quality management process ................................................................................................................ 14

6.2.6 Knowledge management process ......................................................................................................... 15

6.3 Technical management processes ....................................................................................................... 15

6.3.1 Project planning process ......................................................................................................................... 15

6.3.2 Project assessment and control process ............................................................................................ 15

6.3.3 Decision management process .............................................................................................................. 16

6.3.4 Risk management process ...................................................................................................................... 16

6.3.5 Configuration management process ................................................................................................... 17

6.3.6 Information management process ....................................................................................................... 18

6.3.7 Measurement process .............................................................................................................................. 18

6.3.8 Quality assurance process ...................................................................................................................... 18

6.4 Technical processes .................................................................................................................................. 18

6.4.1 Business or mission analysis process ................................................................................................. 18

6.4.2 Stakeholder needs and requirements definition process ............................................................ 19

6.4.3 System requirements definition process ........................................................................................... 19

6.4.4 System architecture definition process.............................................................................................. 20

6.4.5 Design definition process ....................................................................................................................... 21

6.4.6 System analysis process .......................................................................................................................... 22

6.4.7 Implementation process ......................................................................................................................... 22

6.4.8 Integration process ................................................................................................................................... 23

6.4.9 Verification process .................................................................................................................................. 23

6.4.10 Transition process .................................................................................................................................... 24

6.4.11 Validation process ..................................................................................................................................... 25

6.4.12 Operation process ..................................................................................................................................... 26

6.4.13 Maintenance process ................................................................................................................................ 26

6.4.14 Disposal process ........................................................................................................................................ 27

Annex A (informative) Correspondence between the controls in ISO/IEC 27002 and this

document ..................................................................................................................................................... 29

Formatted: Font: Cambria, Not Bold

Table A.1 — Correspondence between controls in ISO/IEC 27002 and this document .................... 29

Formatted: Font: Cambria, Not Bold

Annex B (informative) Essential elements of a software bill of materials ........................................... 32

Formatted: Font: Cambria
Formatted: Font: Cambria
© ISO/IEC 20222023 – All rights reserved vii
---------------------- Page: 6 ----------------------
ISO/IEC DISFDIS 27036-3:20222023(E)
Formatted: Font: Cambria
Formatted: Font: Cambria
Formatted: Font: Cambria

B.1 General .......................................................................................................................................................... 32

B.1.1 Overview ....................................................................................................................................................... 32

B.1.2 Audience ....................................................................................................................................................... 32

B.2 Essential SBoM elements ......................................................................................................................... 33

B.2.1 Overview ....................................................................................................................................................... 33

B.2.2 Author ........................................................................................................................................................... 33

B.2.3 Timestamp ................................................................................................................................................... 33

B.2.4 Life cycle ....................................................................................................................................................... 33

B.2.5 Supplier name ............................................................................................................................................. 34

B.2.6 Component name ....................................................................................................................................... 34

B.2.7 Version .......................................................................................................................................................... 34

B.2.8 Cryptographic hash ................................................................................................................................... 34

B.2.9 Unique identifier ........................................................................................................................................ 34

B.2.10 Relationship ................................................................................................................................................ 35

B.2.11 Source ............................................................................................................................................................ 35

B.3 Essential SBoM processes ....................................................................................................................... 36

B.3.1 Overview ....................................................................................................................................................... 36

B.3.2 Frequency ..................................................................................................................................................... 36

B.3.3 Depth and extent ........................................................................................................................................ 36

B.3.4 Availability ................................................................................................................................................... 36

B.3.5 Errors in SBoMs .......................................................................................................................................... 36

B.3.6 Non-repudiation ......................................................................................................................................... 36

Bibliography .............................................................................................................................................................. 38

Formatted: Font: Cambria
Formatted: Font: Cambria
Formatted: Font: Cambria
viii © ISO/IEC 20222023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC DISFDIS 27036-3:20222023(E)
Formatted
...
Formatted
...
Formatted
...
Formatted
...
Formatted
...
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Formatted
...

Commission) form the specialized system for worldwide standardization. National bodies that are

Formatted
...

members of ISO or IEC participate in the development of International Standards through technical

Formatted
...

committees established by the respective organization to deal with particular fields of technical activity.

Formatted
...

ISO and IEC technical committees collaborate in fields of mutual interest. Other international

Formatted

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the ...

work. Formatted
...
Formatted
...

The procedures used to develop this document and those intended for its further maintenance are

Formatted
...

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

Formatted
...

different types of document should be noted. This document was drafted in accordance with the

Formatted
...
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
Formatted
www.iec.ch/members_experts/refdocs).
...
Formatted
...

Attention is drawn to the possibility that some of the elements of this document may be the subject of

Formatted
...

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

Formatted
...

Details of any patent rights identified during the development of the document will be in the

Formatted
...

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the

Formatted
IEC list of patent declarations received (see https://patents.iec.ch). ...
Formatted
...

Any trade name used in this document is information given for the convenience of users and does not

Formatted
...
constitute an
...

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
27036-3
ISO/IEC JTC 1/SC 27
Cybersecurity — Supplier
Secretariat: DIN
relationships —
Voting begins on:
2023-02-08
Part 3:
Voting terminates on:
Guidelines for hardware, software,
2023-04-05
and services supply chain security
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 27036-3:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC FDIS 27036-3:2023(E)
FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
27036-3
ISO/IEC JTC 1/SC 27
Cybersecurity — Supplier
Secretariat: DIN
relationships —
Voting begins on:
Part 3:
Voting terminates on:
Guidelines for hardware, software,
and services supply chain security
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/IEC FDIS 27036­3:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
© ISO/IEC 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 2 ----------------------
ISO/IEC FDIS 27036-3:2023(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction .............................................................................................................................................................................................................................. vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Structure ...................................................................................................................................................................................................................... 2

5 Key concepts ............................................................................................................................................................................................................. 2

5.1 Business case for hardware, software, and services supply chain security ................................... 2

5.2 Hardware, software, and services supply chain risks and associated threats ............................. 3

5.3 Acquirer and supplier relationship types ....................................................................................................................... 3

5.4 Organizational capability ............................................................................................................................................................. 4

5.5 System life cycle processes .......................................................................................................................................................... 4

5.6 ISMS processes in relation to system life cycle processes ............................................................................... 5

5.7 ISMS controls in relation to hardware, software, and services supply chain security ......... 6

5.8 Essential hardware, software, and services supply chain security practices ............................... 6

6 Hardware, software, and services supply chain security in life cycle processes ...........................7

6.1 Agreement processes ........................................................................................................................................................................ 7

6.1.1 Acquisition process .......................................................................................................................................................... 7

6.1.2 Supply process ...................................................................................................................................................................... 9

6.2 Organizational project­enabling processes ............................................................................................................... 11

6.2.1 Life cycle model management process ........................................................................................................ 11

6.2.2 Infrastructure management process ............................................................................................................ 11

6.2.3 Project portfolio management process .......................................................................................................12

6.2.4 Human resource management process .......................................................................................................12

6.2.5 Quality management process ............................................................................................................................... 13

6.2.6 Knowledge management process ..................................................................................................................... 13

6.3 Technical management processes ...................................................................................................................................... 13

6.3.1 Project planning process ................................... ....................................................................................................... 13

6.3.2 Project assessment and control process .................................................................................................... 14

6.3.3 Decision management process............................................................................................................................ 14

6.3.4 Risk management process ...................................................................................................................................... 14

6.3.5 Configuration management process .............................................................................................................. 15

6.3.6 Information management process .................................................................................................................. 16

6.3.7 Measurement process ................................................................................................................................................. 16

6.3.8 Quality assurance process ...................................................................................................................................... 16

6.4 Technical processes ........................................................................................................................................... .............................. 16

6.4.1 Business or mission analysis process ........................................................................................................... 16

6.4.2 Stakeholder needs and requirements definition process ........................................................... 16

6.4.3 System requirements definition process................................................................................................... 17

6.4.4 System architecture definition process ..................................................................................................... 18

6.4.5 Design definition process ........................................................................................................................................ 19

6.4.6 System analysis process ........................................................................................................................................... 19

6.4.7 Implementation process ........................................................................................................................................... 19

6.4.8 Integration process ....................................................................................................................................................... 20

6.4.9 Verification process ...................................................................................................................................................... 20

6.4.10 Transition process ......................................................................................................................................................... 21

6.4.11 Validation process ..........................................................................................................................................................22

6.4.12 Operation process ..........................................................................................................................................................23

6.4.13 Maintenance process ................................................................................................................................................... 23

6.4.14 Disposal process .............................................................................................................................................................. 24

Annex A (informative) Correspondence between the controls in ISO/IEC 27002 and this

document ..................................................................................................................................................................................................................26

iii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC FDIS 27036-3:2023(E)

Annex B (informative) Essential elements of a software bill of materials ...............................................................29

Bibliography .............................................................................................................................................................................................................................34

© ISO/IEC 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC FDIS 27036-3:2023(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC

list of patent declarations received (see https://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding­standards.

ISO/IEC 27036-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity, and privacy protection.

This second edition cancels and replaces the first edition (ISO/IEC 27036-3:2013), which has been

technically revised.
The main changes are as follows:

— the structure and content have been aligned with the most recent version of ISO/IEC/IEEE 15288;

— former Annex A has been removed;
— Annex B has been added.

A list of all parts in the ISO/IEC 27036 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

www.iec.ch/national­committees.
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC FDIS 27036-3:2023(E)
Introduction

Hardware and software products and information technology services are developed, integrated, and

delivered globally through deep and physically dispersed supply chains. The supply chain can be a

point-to-point or a many-to-many structure and can also be referred to as a supply network. Hardware

and software are assembled from many components provided by many suppliers. Information

technology services throughout the entire supplier relationship are also delivered through multiple

tiers of outsourcing and supply chaining. Acquirers do not have visibility into the practices of hardware,

software, and service providers beyond first or possibly second link of the supply chain. With the

substantial increase in the number of organizations and people who “touch” a hardware, software,

or service, the visibility into the practices by which these products and services are put together

has decreased dramatically. This lack of visibility, transparency, and traceability into the hardware,

software and service supply chain poses risks to acquiring organizations.

This document provides guidance to hardware, software and service acquirers and suppliers to reduce

or manage information security risk. This document identifies the business case for hardware, software,

and service supply chain security, specific risks and relationship types, as well as how to develop an

organizational capability to manage information security aspects and incorporate a life cycle approach

to manage risks supported by specific controls and practices. Its application is expected to result in:

— increased hardware, software, and services supply chain visibility and traceability to enhance

information security capability;

— increased understanding by the acquirers of where their products or services are coming from, and

of the practices used to develop, integrate, or operate these products or services, to enhance the

implementation of information security requirements;

— in case of an information security compromise, the availability of information about what may have

been compromised and who the involved actors may be.

This document is intended to be used by all types of organizations that acquire or supply hardware,

software, and services. The guidance is primarily focused on the initial link of the first acquirer and

supplier, but the principal steps should be applied throughout the chain, starting when the first supplier

becomes an acquirer. This change of roles and applying the same steps for each new acquirer-supplier

link in the chain is the essential intention of this document. By following this document, information

security implications can be communicated among organizations in the chain. This helps identify

information security risks and their causes and may enhance the transparency throughout the chain.

Information security concerns related to supplier relationships cover a broad range of scenarios.

Organizations desiring to improve trust within their hardware, software, and services supply chain

should define their trust boundaries. They should evaluate the risk associated with their supply chain

activities, and then define and implement appropriate risk identification and mitigation techniques

to reduce the vulnerabilities being introduced through their hardware, software and services supply

chain.

The framework and controls outlined in ISO/IEC 27001 and ISO/IEC 27002 provide a useful starting

point for identifying appropriate requirements for acquirers and suppliers. The ISO/IEC 27036 series

provides further detail on how to establish and monitor supplier relationships. This document has been

structured to be harmonized with ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207.
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 6 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 27036-3:2023(E)
Cybersecurity — Supplier relationships —
Part 3:
Guidelines for hardware, software, and services supply
chain security
1 Scope

This document provides guidance for product and service acquirers, as well as suppliers of hardware,

software and services, regarding:

a) gaining visibility into and managing the information security risks caused by physically dispersed

and multi-layered hardware, software, and services supply chains;

b) responding to risks stemming from this physically dispersed and multi-layered hardware, software,

and services supply chain that can have an information security impact on the organizations using

these products and services;

c) integrating information security processes and practices into the system and software life cycle

processes, as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, while supporting

information security controls, as described in ISO/IEC 27002.

This document does not include business continuity management/resiliency issues involved with

the hardware, software, and services supply chain. ISO/IEC 27031 addresses information and

communication technology readiness for business continuity.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

systems — Overview and vocabulary

ISO/IEC 27036­1, Cybersecurity — Supplier relationships — Part 1: Overview and concepts

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27036-1

and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
software bill of materials
SBoM

inventory of software components, sub-components and dependencies with associated information

© ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC FDIS 27036-3:2023(E)
3.2
system element
member of a set of elements that constitute a system

EXAMPLE Hardware, software, data, humans, processes (e.g. processes for providing service to users),

procedures (e.g. operator instructions), facilities, materials, and naturally occurring entities or any combination.

Note 1 to entry: A system element is a discrete part of a system that can be implemented to fulfil specified

requirements.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.47]
3.3
traceability

property that allows the tracking of the activity of an identity, process, or an element throughout the

supply chain
3.4
transparency
property of a system or process to imply openness and accountability
3.5
validation

confirmation, through the provision of objective evidence, that the requirements for a specific intended

use or application have been fulfilled

Note 1 to entry: A system is able to accomplish its intended use, goals and objectives (i.e. meet stakeholder

requirements) in the intended operational environment. The right system was built.

[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.53]
3.6
verification

confirmation, through the provision of objective evidence, that specified requirements have been

fulfilled

Note 1 to entry: Verification is a set of activities that compares a system or system element against the required

characteristics. This includes, but is not limited to, specified requirements, design description and the system

itself. The system was built right.
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.54]
4 Structure

This structure of this document is harmonized with ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207.

Clause 6 mirrors life cycle processes provided in those two standards. This document is also

harmonized with ISO/IEC 27002 and references relevant information security controls within the life

cycle processes with the mapping provided in Annex A.
5 Key concepts
5.1 Business case for hardware, software, and services supply chain security

Organizations acquire hardware, software, and services from numerous suppliers who can in turn

acquire components from other suppliers. The information security risks associated with these

dispersed and multi-layered hardware, software, and services supply chains can be managed through

the application of risk management practices and trusted relationships, thereby increasing visibility,

traceability and transparency in the hardware, software, and services supply chain.

© ISO/IEC 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC FDIS 27036-3:2023(E)

For example, increased visibility into the hardware, software, and services supply chain is obtained by

defining adequate information security and quality requirements, and ongoing monitoring of suppliers

and their products and services once a supplier relationship is in operation. Identifying and tracking

supply chain entities accountable for quality and security for critical elements provides greater

traceability. Establishing contractual requirements and expectations, as well as reviewing processes

and practices provides much needed transparency.

Acquirers should establish an understanding within their organizations regarding the hardware,

software, and services supply chain risks and their possible impacts on businesses. Specifically, the

acquirer’s management should be aware that practices of suppliers throughout the supply chain can

have impacts on whether resulting products and services can be trusted to protect the acquirer’s

business, information, and information systems.
5.2 Hardware, software, and services supply chain risks and associated threats

In a supply chain, information security management of an individual organization (acquirer or supplier)

is not sufficient to maintain information security of hardware, software, and services throughout their

supply chain. The acquirer’s management of the sourcing of suppliers, products or services is essential

for information security.

Acquiring hardware, software, and services presents special information security risks to acquirers.

As supply chains get more complex and physically dispersed and traverse multiple international and

organizational boundaries, specific manufacturing and operation practices applied to individual

elements (hardware, software, services, and their components) become more difficult to trace, including

identifying the individuals who are accountable for the quality and security of those elements. This

creates a general lack of traceability throughout the supply chain which in turn results in higher risk of

compromise to the acquirers’ information security and therefore to business operations, from:

— intentional events such as malicious code insertion and presence of counterfeit products in the

supply chain;

— unintentional events, such as poor software development practices or software vulnerabilities.

Both intentional and unintentional events can result in a compromise to the acquirer’s data and

operations including intellectual property theft, data leakage, and reduced ability by acquirers to

perform their business functions. Any of these identified concerns, if they were to occur, can harm the

reputation of the organization, leading to further impacts such as loss of business.

5.3 Acquirer and supplier relationship types

Hardware, software, and services acquirers and suppliers can involve multiple entities in a variety of

supply chain-based relationships, including but not limited to:

a) information or operational system management support where systems are owned by the acquirer

and managed by the supplier;

b) information or operational systems or services providers where systems or resources are owned

and managed by the supplier;

c) product development, design, engineering, etc. where the supplier provides all or part of the service

associated with creating hardware and software;
d) commercial­off­the­shelf product suppliers;
e) open source product suppliers and distributors.

When acquirers grant suppliers access to acquirers‘ information and information systems, acquirers

assume greater dependency on the supplied hardware, software, and services. By doing so, they assume

more risk and therefore require greater trust from suppliers. For example, acquiring information or

operational system management support has sometimes higher risk than acquiring open source or

© ISO/IEC 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC FDIS 27036-3:2023(E)

commercial off-the-shelf products. From the supplier’s perspective, any compromises to the acquirer’s

information can harm the supplier's reputation and trust with the specific acquirer whose information

and information systems have been compromised.

To help manage the uncertainty and risks associated with supplier relationships, acquirers and

suppliers should establish a dialogue and reach an understanding regarding mutual expectations about

protecting each other's information and information systems.
5.4 Organizational capability

To manage risks associated with the hardware, software, and services supply chain throughout

their life cycle, acquirers and suppliers should implement an organizational capability for managing

information security aspects of supplier relationships. This capability should establish and monitor

hardware, software, and services supply chain security objectives for the acquirer organization and

monitor achievement of these objectives, including at least the following:

a) Define, select, and implement the strategy for management of information security risks caused by

hardware, software, and services supply chain vulnerabilities:

1) Establish and maintain a plan for identifying potential hardware, software, and services supply

chain-related vulnerabilities before they are exploited; in addition, have a plan for mitigating

adverse impacts.

2) Identify and document information security risks associated with the supply chain-related

threats and vulnerabilities (see 6.3.4).

b) Establish and adhere to baseline information security controls as a prerequisite to robust supplier

relationships (see Annex A for a mapping of Clause 6 to ISO/IEC 27002).

c) Establish and adhere to baseline system and software life cycle processes and practices for

establishing robust supplier relationships in regard to hardware, software, and services supply

chain information security risk management concerns (see Clause 6).

d) Have a set of baseline information security requirements that apply to all supplier relationships

and tailor them for specific suppliers as needed.

e) Establish a repeatable and testable process for establishing information security requirements

associated with new supplier relationships, managing existing
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 27035-1:2023(Main)
Information technology — Information security incident management — Part 1: Principles and process

This document is the foundation of the ISO/IEC 27035 series. It presents basic concepts, principles and process with key activities of information security incident management, which provide a structured approach to preparing for, detecting, reporting, assessing, and responding to incidents, and applying lessons learned. The guidance on the information security incident management process and its key activities given in this document are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 27035-2:2023(Main)
Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response

This document provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the “plan and prepare” and “learn lessons” phases of the information security incident management phases model presented in ISO/IEC 27035-1:2023, 5.2 and 5.6. The major points within the “plan and prepare” phase include: — information security incident management policy and commitment of top management; — information security policies, including those relating to risk management, updated at both organizational level and system, service and network levels; — information security incident management plan; — Incident Management Team (IMT) establishment; — establishing relationships and connections with internal and external organizations; — technical and other support (including organizational and operational support); — information security incident management awareness briefings and training. The “learn lessons” phase includes: — identifying areas for improvement; — identifying and making necessary improvements; — Incident Response Team (IRT) evaluation. The guidance given in this document is generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this document according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    53 pages
    English language
    sale 15% off
  • Standard
    53 pages
    English language
    sale 15% off
ISO
ISO/IEC 24760-3:2016/Amd 1:2023(Amendment)
Information technology — Security techniques — A framework for identity management — Part 3: Practice — Amendment 1: Identity Information Lifecycle processes
  • Standard
    3 pages
    English language
    sale 15% off
  • Draft
    3 pages
    English language
    sale 15% off
  • Draft
    3 pages
    English language
    sale 15% off
ISO
ISO/IEC 24760-1:2019/Amd 1:2023(Amendment)
IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts — Amendment 1
  • Standard
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off
ISO
ISO/IEC 27559:2022(Main)
Information security, cybersecurity and privacy protection – Privacy enhancing data de-identification framework

This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are PII controllers or PII processors acting on a controller’s behalf, implementing data de-identification processes for privacy enhancing purposes.

  • Standard
    22 pages
    English language
    sale 15% off
ISO
ISO/IEC 27557:2022(Main)
Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management

This document provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. This document provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: — organizational consequences of adverse privacy impacts on individuals; and — organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. This document assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization. This document is applicable to all types and sizes of organizations processing PII or developing products and services that can be used to process PII, including public and private companies, government entities, and non-profit organizations.

  • Standard
    19 pages
    English language
    sale 15% off
ISO
ISO/IEC 27553-1:2022(Main)
Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: Local modes

This document provides high-level security and privacy requirements and recommendations for authentication using biometrics on mobile devices, including security and privacy requirements and recommendations for functional components and for communication. This document is applicable to the cases that the biometric data and derived biometric data do not leave the device, i.e. local modes.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/IEC 27001:2022(Main)
Information security, cybersecurity and privacy protection — Information security management systems — Requirements

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document.

  • Standard
    19 pages
    English language
    sale 15% off
  • Standard
    19 pages
    English language
    sale 15% off
  • Standard
    21 pages
    French language
    sale 15% off
  • Standard
    21 pages
    French language
    sale 15% off
  • Standard
    21 pages
    French language
    sale 15% off
  • Draft
    19 pages
    English language
    sale 15% off
  • Draft
    19 pages
    English language
    sale 15% off
  • Draft
    22 pages
    French language
    sale 15% off
ISO
ISO/IEC 27005:2022(Main)
Information security, cybersecurity and privacy protection — Guidance on managing information security risks

This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    62 pages
    English language
    sale 15% off
  • Standard
    66 pages
    French language
    sale 15% off
ISO
ISO/IEC TR 24485:2022(Main)
Information security, cybersecurity and privacy protection — Security techniques — Security properties and best practices for test and evaluation of white box cryptography

This document introduces security properties and provides best practices on the test and evaluation of white box cryptography (WBC). WBC is a cryptographic algorithm specialized for a key or secret, but where the said key cannot be extracted. The WBC implementation can consist of plain source code for the cryptographic algorithm and/or of a device implementing the algorithm. In both cases, security functions are implemented to deter an attacker from uncovering the key or secret. Security properties consist in the secrecy of security parameters concealed within the implementation of the white box cryptography. Best practices for the test and evaluation includes mathematical and practical analyses, static and dynamic analyses, non-invasive and invasive analyses. This document is related to ISO/IEC 19790 which specifies security requirements for cryptographic modules. In those modules, critical security parameters (CSPs) and public security parameters (PSPs) are the assets to protect. WBC is one solution to conceal CSPs inside of the implementation.

  • Technical report
    12 pages
    English language
    sale 15% off