Translate

петък, 7 април 2017 г.

ISO 27036 Information security for supplier relationships



ISO/IEC 27036-1:2014
Information technology — Security techniques —
Information security for supplier relationships


Part 1:
Overview and concepts

Contents

Foreword
Introduction
Scope
Normative references
Terms and definitions
Symbols and abbreviated terms
Problem definition and key concepts
Motives for establishing supplier relationships
Types of supplier relationships
Information security risks in supplier relationships and associated threats
Managing information security risks in supplier relationships
ICT supply chain considerations
Overall ISO/IEC 27036 structure and overview
Purpose and Structure
Overview of Part 1: Overview and concepts
Overview of Part 2: Requirements
Overview of Part 3: Guidelines for Information and Communication Technology (ICT supply chain security
Overview of Part 4: Guidelines for security of cloud services
Bibliography

Introduction

Most (if not all) organizations around the world, whatever their size or domains of activities, have relationships with suppliers of different kinds that deliver products or services. Such suppliers can have either a direct or indirect access to the information and information systems of the acquirer, or will provide elements (software, hardware, processes, or human resources) that will be involved in information processing. Acquirers can also have physical and/or logical access to the information of the supplier when they control or monitor production and delivery processes of the supplier.
Thus, acquirers and suppliers can cause information security risks to each other. These risks need to be assessed and treated by both acquirer and supplier organizations through appropriate management of information security and the implementation of relevant controls. In many instances, organizations have adopted the International Standards of ISO/IEC 27001 and/or ISO/IEC 27002 for the management of their information security. Such International Standards should also be adopted in managing supplier relationships in order to effectively control the information security risks inherent in those relationships.
This International Standard provides further detailed implementation guidance on the controls dealing with supplier relationships that are described as general recommendations in ISO/IEC 27002.
Supplier relationships in the context of this International Standard include any supplier relationship that can have information security implications, e.g. information technology, healthcare services, janitorial services, consulting services, R&D partnerships, outsourced applications (ASPs), or cloud computing services (such as software, platform, or infrastructure as a service).
Both the supplier and acquirer have to take equal responsibility to achieve the objectives in the supplier  / acquirer relationship and adequately address information security risks that can occur. It is expected that they implement the requirements and guidelines of this International Standard. Furthermore, fundamental processes should be implemented to support the supplier-acquirer relationship (e.g. governance, business management, and operational and human resources management). These processes will provide support in terms of information security as well as the accomplishment of business objectives.