ISO/IEC 27036-1:2014
Information
technology — Security techniques —
Information security
for supplier relationships
Part 1:
Overview and concepts
Contents
Foreword
Introduction
Scope
Normative
references
Terms and
definitions
Symbols
and abbreviated terms
Problem
definition and key concepts
Motives
for establishing supplier relationships
Types of
supplier relationships
Information
security risks in supplier relationships and associated threats
Managing
information security risks in supplier relationships
ICT
supply chain considerations
Overall
ISO/IEC 27036 structure and overview
Purpose
and Structure
Overview
of Part 1: Overview and concepts
Overview
of Part 2: Requirements
Overview of Part 3: Guidelines for Information and Communication
Technology (ICT supply chain security
Overview
of Part 4: Guidelines for security of cloud services
Bibliography
Introduction
Most (if not all) organizations around
the world, whatever their size or domains of activities, have relationships
with suppliers of different kinds that deliver products or services. Such
suppliers can have either a direct or indirect access to the information and
information systems of the acquirer, or will provide elements (software,
hardware, processes, or human resources) that will be involved in information
processing. Acquirers can also have physical and/or logical access to the
information of the supplier when they control or monitor production and
delivery processes of the supplier.
Thus, acquirers and suppliers can
cause information security risks to each other. These risks need to be assessed
and treated by both acquirer and supplier organizations through appropriate
management of information security and the implementation of relevant controls.
In many instances, organizations have adopted the International Standards of
ISO/IEC 27001 and/or ISO/IEC 27002 for the management of their information
security. Such International Standards should also be adopted in managing
supplier relationships in order to effectively control the information security
risks inherent in those relationships.
This International Standard provides
further detailed implementation guidance on the controls dealing with supplier
relationships that are described as general recommendations in ISO/IEC 27002.
Supplier relationships in the context
of this International Standard include any supplier relationship that can have
information security implications, e.g. information technology, healthcare
services, janitorial services, consulting services, R&D partnerships,
outsourced applications (ASPs), or cloud computing services (such as software,
platform, or infrastructure as a service).
Both the supplier and acquirer have to
take equal responsibility to achieve the objectives in the supplier / acquirer relationship and adequately
address information security risks that can occur. It is expected that they
implement the requirements and guidelines of this International Standard.
Furthermore, fundamental processes should be implemented to support the
supplier-acquirer relationship (e.g. governance, business management, and
operational and human resources management). These processes will provide
support in terms of information security as well as the accomplishment of business
objectives.