The ISO/IEC 27036 standard series is a multi-part standard that guides organisations on securing information and information systems within supplier relationships.
ISO/IEC 27036 can be used with several ISO standards, including ISO/IEC 27001, 27002, 27005, 28000, 27017, and 27701. Integrating these standards is crucial for ensuring information security in supplier relationships, managing risks, and securing cloud services.
ISO/IEC 27036 Series Components
The ISO/IEC 27036 series consists of the following parts:
- ISO/IEC 27036-1:2021 – Cybersecurity – Supplier relationships – Part 1: Overview and concepts: This part introduces the series, offering an overview and fundamental concepts for ensuring information security in supplier relationships.
- ISO/IEC 27036-2:2022 – Cybersecurity – Supplier relationships – Part 2: Requirements: This section defines the requirements for ensuring information security in supplier relationships.
- ISO/IEC 27036-3:2023 – Cybersecurity – Supplier relationships – relationships—Part 3: Guidelines for hardware, software, and services supply chain security: This part guides the management of information security risks within the supply chain for hardware, software, and services.
- ISO/IEC 27036-4:2016—Cybersecurity—Supplier relationships—Part 4: Guidelines for security of cloud services: This section provides guidance for cloud service providers and customers on managing information security risks in cloud services.
Which other ISO standards can ISO/IEC 27036 be used in accordance with?
ISO/IEC 27036 is a guidance standard for managing information security in supplier relationships and can be integrated with several ISO/IEC 27000 series standards, including:
Compatibility with the ISO/IEC 27000 Series
ISO/IEC 27036 can be used alongside general information security management system standards in the ISO/IEC 27000 series, including:
- ISO/IEC 27001 – Information Security Management System (ISMS): While ISO/IEC 27036 addresses information security risks in supplier relationships, ISO/IEC 27001 defines the general framework for managing information security.
- ISO/IEC 27002 – Code of Practice for Information Security Controls: The security controls for supplier security management in ISO/IEC 27036 can be integrated with the ISO/IEC 27002 control framework.
- ISO/IEC 27005 – Information Security Risk Management: The risk management processes in ISO/IEC 27036 align with the general risk management methodology outlined in ISO/IEC 27005.
- ISO/IEC 27019 – Information Security for the Energy Sector: This standard is relevant to supplier management risks in the energy sector, making it compatible with ISO/IEC 27036.
- ISO/IEC 27701 – Privacy Information Management System (PIMS): ISO/IEC 27036 can be used alongside ISO/IEC 27701 to ensure that personal data processed by suppliers is protected.
Compatibility with Supply Chain and Cybersecurity Standards
ISO/IEC 27036 can also be used alongside the following supply chain security standards:
- ISO/IEC 28000 – Supply Chain Security Management System: This standard, which focuses on the physical security of the supply chain, can be integrated with the information security aspects of ISO/IEC 27036.
- ISO/IEC 20243 – Open-Trusted Technology Provider Standard (O-TTPS): This standard ensures the security of hardware and software suppliers, making it compatible with ISO/IEC 27036.
- NIST SP 800-161 – Supply Chain Risk Management: Used alongside ISO/IEC 27036, this standard enhances supplier security in critical infrastructure.
Compatibility with Cloud Security Standards
Since ISO/IEC 27036-4 focuses on cloud security, it is closely related to the following standards:
- ISO/IEC 27017 – Security Controls for Cloud Services: The supplier security measures outlined in ISO/IEC 27036-4 align with the additional controls for cloud security defined in ISO/IEC 27017.
- ISO/IEC 27018 – Protection of Personal Data in Cloud Computing: ISO/IEC 27036-4 can be used alongside ISO/IEC 27018 to protect personal data processed by cloud service providers.
