Topic-specific policies
ISO/IEC 27036

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27036:2013+ Information security for supplier relationships (four parts)



ISO/IEC 27036 is a multi-part standard offering guidance on the managemnent of information risks involved in the acquisition of ICT goods and services from suppliers.

The terms acquisition and acquirer are used rather than purchase and purchasing since the process, information risks and controls are much the same whether the transactions are commercial or not (e.g. one part of an organisation or group acquiring products from another, or using free/open-source products).


ISO/IEC 27036-1:2021 — Cybersecurity — Supplier relationships — Part 1: Overview and concepts More info added Dec

  • Abstract: “This document is an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. This document addresses perspectives of both acquirers and suppliers.” [source: ISO/IEC 27036-1:2021]
  • Scope & purpose: part 1 introduces all parts of this standard, providing general background information and introducing the key terms and concepts in relation to information security in supplier relationships, including “any supplier relationship that can have information security implications, e.g. information technology, healthcare services, janitorial services, consulting services, R&D partnerships, outsourced applications (ASPs), or cloud computing services (such as software, platform, or infrastructure as a service).”
  • Part 1 outlines a number of information risks commonly arising from or relating to business relationships between acquirers and suppliers, where goods/services acquired have an information content or information security relevance, or where the supplier gains access to the acquirer’s internal information. [The converse situation i.e. acquirers gaining access to suppliers’ internal information - is not explicitly mentioned in part 1 but is noted in part 2.]
  • The standard primarily takes the perspective of the acquirer, covering the acquirer’s information security concerns that ought to be addressed in relationships with upstream suppliers. [The supplier’s information risks when supplying downstream customers, or in relationships with partners, are not explicitly covered.]
  • Status: first edition published and made available for free in 2014.
  • Second edition published in 2021 - no longer free though, unfortunately. Don’t shoot the messenger.

ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements More info added Dec

  • Abstract: part 2 “specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, build-operate-transfer and cloud computing services ... To meet the requirements, it is expected that an organization has internally implemented a number of foundational processes or is actively planning to do so [such as] business management, risk management, operational and human resources management, and information security.” [source: ISO/IEC 27036-2:2022]
  • Scope & purpose: part 2 specifies fundamental information security requirements pertaining to business relationships between suppliers and acquirers of various products (goods and services). It helps them reach a common understanding of the associated information risks, and treat them accordingly to their mutual satisfaction.
  • The introduction explicitly states that ISO/IEC 27036 Part 2 is not intended for certification purposes, despite having “Requirements” in the title and “shall” in the content [these are normally reserved words in ISO-land].
  • The control measures recommended in part 2 cover various aspects of governance and business management (e.g. operations, HR management, IT management, relationship management, metrics) as well as information risk management (e.g. information risk analysis and treatment, security controls specification, security architecture/design, strategy).
  • Given the presumptions, style, structure, depth, breadth, rigour and documentation requirements laid out in part 2, following the standard in detail would impose a significant burden of red-tape in the case of commodity supplies but may be entirely appropriate for those with strong information security implications (e.g. military and government procurement of classified ICT systems and services, or commercial procurement of safety- or business-critical ICT systems and services including cloud computing support for core business processes, plus information services such as consulting, legal or HR services). Nevertheless, the standard is a useful checklist or reminder of the information security aspects that ought to be considered in most if not all business relationships.
  • Status: first published in 2014. Revised following changes in ISO/IEC 15288 in June 2022.
  • Personal comments: although this is not intended to be a certifiable standard with formally-specified requirements that are mandatory for certification, wording along the lines of “The following minimum activities shall be executed by the acquirer to meet the objective defined at [a specific clause]” leaves little latitude for organisations to interpret, adapt and apply the standard according to their particular business situations and needs, despite an explanatory note:
  • ”The user of this document needs to correctly interpret each of the forms of the expression of provisions (e.g. ”shall”, ”shall not”, “should” and ”should not”) as being either requirements to be satisfied or recommendations where there is a certain freedom of choice.”

    It comes down to the business and legal arrangements in place between supplier and acquirer as to how much ‘freedom of choice’ there is in interpreting and applying this standard. In the absence of explicit, perfectly worded, unambiguous and binding contractual clauses, lawyers smile wryly and rub their hands together ...


ISO/IEC 27036-3:2013 — Information security for supplier relationships — Part 3:- Guidelines for information and communications technology supply chain security Status updated Jan

  • Abstract: part 3 “provides product and service acquirers and suppliers in the information and communication technology (ICT) supply chain with guidance on:
    1. gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered ICT supply chains;
    2. responding to risks stemming from the global ICT supply chain to ICT products and services that can have an information security impact on the organizations using these products and services. These risks can be related to organizational as well as technical aspects (e.g. insertion of malicious code or presence of the counterfeit information technology (IT) products);
    3. integrating information security processes and practices into the system and software lifecycle processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security controls, described in ISO/IEC 27002.
  • [Part 3] does not include business continuity management/resiliency issues involved with the ICT supply chain. ISO/IEC 27031 addresses business continuity.” [source: ISO/IEC 27036-3:2013]
  • Scope & purpose: part 3 guides both suppliers and acquirers of ICT goods and services on information risk management relating to the widely dispersed and complex supply chain, including risks such as malware and counterfeit products plus ‘organisational risks’, and the integration of risk management with system and software lifecycle processes, drawing on ISO/IEC 15288, 12207 and 27002.
    • It explicitly concerns ICT.
    • It does not cover the business continuity and resilience aspects of supply chains/networks.
  • Content: a wide range of information security controls are noted in part 3, such as:
      • Assurance;
      • Avoiding the gray-market;
      • Chain of custody (provenance);
      • Code assessment and verification;
      • Compliance management;
      • Configuration and change management;
      • Defined security expectations (specifications);
      • HR management;
      • ICT implementation and transition;
      • ICT integration;
      • ICT management, maintenance and disposal etc.;
      • ICT testing and verification (e.g. security/penetration testing, vulnerability scanning, stress testing, compliance testing);
      • Information management;
      • Intellectual property rights and responsibilities;
      • Least privilege access;
      • Malware prevention;
      • Passing security requirements to upstream suppliers;
      • Persistent protection;
      • Procurement processes including anonymous and all-at-once acquisition;
      • Project management;
      • Quality management;
      • Risk and security management (naturally!);
      • Security architecture/design;
      • Security training;
      • Separation of duties;
      • Supplier/relationship management (naturally!);
      • Tamper resistance and evidence;
      • Vulnerability assessment and response.
    • Most of these controls are covered in general terms by ISO/IEC 27002: this standard provides additional guidance for their application in the supply and acquisition of ICT products.
    • The bulk of the standard provides information security guidance for ICT suppliers and acquirers, as a set of processes for each stage of the typical ICT system lifecycle.
    • An annex includes a breakdown of comparable clauses in ISO/IEC 15288 and 12207, and another identifies relevant clauses from ISO/IEC 27002 (the references will be updated to the 2022 version in the next edition ...).
  • Status: first edition published in 2013.  Currently being revised.
    • Status updated Jan The second edition is not due to be published until 2024 but is already at Final Draft International Standard stage, so may well surface ahead of schedule.
    • The title will become: Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security
    • Despite removing ‘ICT’ from the title, ‘Cybersecurity’ plus ‘hardware, software’ are strong clues that the standard remains myopically focused in that area e.g. it concerns IT services, specifically, rather than professional services in general.
    • Aside from the ICT aspects, organisations should consider their supply chain information risks more broadly (e.g. theft of intellectual property, misprepresentation, misappropriation, fraud ...) as well as commercial, financial and other kinds of risks (including business continuity risks such as supply chain disruptions): those remain out of scope of part 3.
    • Aside from supplier-acquirer relationships, information risks associated with business partners may also be of concern, where multiple organisations combine their efforts in the production process - for example, the use of contractors on an ICT production line.
    • There may be yet more information risks in the logistics parts of the supply chain, plus related services such as installation, configuration, support and maintenance of ICT equipment, commercial data centre facilities, communications services and more.


ISO/IEC 27036–4:2016 — Information security for supplier relationships — Part 4: Guidelines for security of cloud services More info added Dec

  • Abstract: part 4 “provides cloud service customers and cloud service providers with guidance on (a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and (b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services.
  • [Part 4] does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity.

    [Part 4] does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017.” [source: ISO/IEC 27036-4:2016]

  • Scope & purpose: part 4 guides the vendors and customers of cloud services on information security management for cloud services.
  • Status: published in 2016. Confirmed unchanged in 2022.
  • Personal comments: part 4 explicitly describes the information risks that it addresses. Full marks!


Personal comments on all parts of ’27036

Within the ISO27k information security standards, the products most obviously covered by ’27036 include:

  • IT outsourcing and cloud computing services;
  • Other professional services e.g. legal, accounting/tax and HR services, security guards, cleaners, delivery services (couriers), equipment maintenance/servicing, consulting and specialist advisory services, knowledge management, research and development, manufacturing, logistics, source code escrow and healthcare;
  • Provision of ICT hardware, software and services including telecommunications and Internet services;
  • Bespoke products and services where the acquirer specifies the requirements and may play an active role in the product design and development (as opposed to commodities and standard off-the-shelf products);
  • Electricity to power ICT equipment.

The ’27036 standards therefore could cover:

  • Strategic goals, objectives, business needs and compliance obligations in relation to information security, privacy and assurance when acquiring ICT-related or information products;
  • Information risks such as:
    • Acquirer’s reliance on providers, complicating the acquirer’s business continuity arrangements (both resilience and recovery);
    • Physical and logical access to and protection of second and third party information assets;
    • Creating an ‘extended trust’ environment with shared responsibilities for information security, or conversely applying the ‘zero trust’ approach in this context;
    • Creating a shared responsibility for conformity with information security policies, standards, laws, regulations, contracts and other commitments/obligations;
    • Coordination between supplier and acquirer to adapt or respond to new/changed information security requirements;
    • ... and more.
  • Information security controls such as:
    • Preliminary analysis, preparation of a sound business case, Invitation To Tender etc., taking into account the risks, controls, costs and benefits associated with maintaining adequate information security;
    • Creation of explicit shared strategic goals to align acquirer and provider on information security and other aspects (e.g. a jointly-owned ‘relationship strategy’);
    • Specification of important information security requirements (such as requiring that suppliers are ISO/IEC 27001 certified and/or use standards such as ISO27k) in contracts, Service Level Agreements etc.;
    • Security management procedures, including those that may be jointly developed and operated such as risk analysis, security design, identity and access management, incident management and business continuity;
    • Special controls to cater for unique risks (such as testing and fallback arrangements associated with the transition/implementation stage when an outsourcing supplier first provides services);
    • Clear ownership, accountability and responsibility for the protection of valuable information assets, including security logs, audit records and forensic evidence;
    • A ‘right of audit’ and other compliance/assurance controls, with penalties or liabilities in case of identified non-compliance, or bonuses for full compliance;
    • ... and more.
  • The entire relationship lifecycle:
    • Initiation - scoping, business case/cost-benefit analysis, comparison of insource versus outsource options as well as variant or hybrid approaches such as co-sourcing;
    • Definition of requirements including the information security requirements, of course;
    • Procurement including evaluating, selecting and contracting with supplier/s;
    • Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period;
    • Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring etc.;
    • Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes etc.;
    • Termination and exit i.e. ending a business relationship that has run its course in a controlled manner, perhaps leading back to the start.
  • Some but not all of this is covered by ’27036, potentially leaving gaps to be filled by other standards plus corporate strategies, policies and procedures.

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT Ltd.