ISO 27036 – Information security for supplier relationships

🕑 5 minutes read

What is the ISO 27036 standard?

ISO 27000 is a series of information security standards developed and published by the International Standards Organisation (ISO), which provides a globally recognised framework for improving practices when developing Information Security Management Systems (ISMS).

The ISO 27036 standard is divided into four parts and it belongs to the ISO 27000 family, with reference to Information Security for supplier relationships, and it offers guidance on assessing and dealing with the information risks involved in acquiring goods and services from suppliers.

ISO 27000, referring to Information security for supplier relationships, which offers guidance on assessing and dealing with the information risks involved in acquiring goods and services from suppliers.

ISO 27036 organisation and uses

How is the standard divided up?

Standard ISO/IEC 27036 is divided into the following four parts:

  1. ISO/IEC 27036-1:2014: This gives a general description and outlines the main concepts. It serves as an introduction to the four parts of this standard, giving general information on the regulatory background (ISO 27000, IT – Security techniques – Information security management systems – Overview and vocabulary), and introducing the key terms and concepts, including risks, relating to information security for supplier relationships.
  2. ISO/IEC 27036-2:2014: Details the fundamental requirements for information security relating to commercial relationships between suppliers and purchasers. The recommended control measures cover various aspects of governance, business management and information security management (setting up organisational projects, planning the relationship with the supplier, relationship agreements, and managing relationships with suppliers, etc.).
  3. ISO/IEC 27036-3:2013: Provides guidelines for the security of the ICT supply chain. It outlines the guidelines both for suppliers and purchasers on information security risk management related to the supply chain (malware, fake products, organisational risks, and integrating risk management into the life cycle processes of the system and software, etc).
  4. ISO/IEC 27036-4:2016: This outlines the guidelines for cloud service security. It provides clients and cloud service providers with guidance on the information security risks associated with the use of cloud services and the effective management of these risks by implementing specific controls to mitigate them.

Where is ISO 27036 applied?

This standard is applied in commercial relationships between purchasers and suppliers of various goods and services, such as:

  • The supply of hardware, software and ICT services, including telecommunication and Internet services.
  • Outsourcing cloud computing services.
  • Other services, such as security guards, cleaners, couriers, equipment maintenance, and specialist consultancy and advice services, etc.
  • Bespoke products and services where the purchaser specifies the requirements and normally plays an active role in designing the product.
  • Public services, such as electric power, fuels and water.

ISO 27036 steps:

It provides guidelines for detecting and assessing the information risks involved in purchasing goods and services, and in implementing the controls required to mitigate these risks, throughout the life cycle or steps of the relationship between the purchasers and suppliers:

What is the life cycle of the relationship?

The life cycle of ISO 27036 is composed of various steps:

  • Cost-benefit analysis, comparison of internal development and outsourcing options, or a mixture of both.
  • Definition of requirements.
  • Selection, evaluation and contracting of suppliers.
  • Application of the supply agreements.
  • Operation: management and supervision of relationships, compliance, and incidents and changes, etc.
  • Updating, if the contract is renewed, with a review of the terms and conditions, performance, problems, work processes, etc.
  • End of the commercial relationship.

Information security risks:

The situations where information security might be compromised are classified as:

  • Offices of the purchaser or supplier.
  • Access to and protection of third party information assets.
  • Shared responsibilities in terms of information security as regards compliance with policies, standards, laws, regulations, contracts and other information security commitments/obligations.
  • Purchaser-supplier coordination to adapt or respond to new information security requirements.

Information security controls:

Information security controls must be carried out in:

  • The preliminary analysis of risks, controls, costs and benefits associated with maintaining adequate information security.
  • The creation of shared strategic goals to align the purchaser and supplier in terms of information security.
  • The specification of information security requirements: stipulating that suppliers comply with the ISO/IEC 27001 standard in contracts, and service level agreements, etc.
  • In security management procedures: risk analysis, security design, incident management, and business continuity plans, among others.
  • Responsibility for the protection of critical information assets (security records, audit records, and tests, etc.).
  • The right to auditing and compliance, with sanctions or liabilities in the event of non-compliance or bonuses in the event of full compliance.

At GlobalSuite Solutions we offer the help and advice you need to implement your Information Security Management System (ISMS) based on ISO 27001 requirements.

We also have GlobalSuite® software, fully developed by our team, which enables the implementation, management and maintenance of the requirements set out in the ISO 27001 standard in all kinds of organisations and sectors.