ISO/IEC 27036

ISO/IEC 27036:2013+ – Information technology – Security techniques – Information security for supplier relationships (4 parts)

Introduction

ISO/IEC 27036 is a multipart standard that describes best practices for analyzing and treating customer information risks during the acquisition of goods and services from suppliers. There seems to be more emphasis on business-to-business relationships than on retail, and informational products seem to be implied. The terms acquisition and acquirer are used rather than the terms purchase and purchasing since the process is the same whether the transaction is commercial or not (for example, one part of an organization can purchase products from another part as an internal transfer without actually paying for them).

Scope and objectives

Since it is a security standard, it encompasses products such as:

– Outsourcing IT services and cloud computing;
– Additional professional services, such as legal advice, human resources, accounting, cleaning, delivery, maintenance, advisory and consulting services, research and development, manufacturing, logistics, source code escrow, as well as healthcare;
– Providing ICT-related hardware, software, and IT services, which include telecommunications and Internet services;
– Customized products and services, where the customer specifies requirements and is often actively involved in the product design (in contrast to commodities and off-the-shelf products);
– Water and electric power utilities.

The standards could apply to:

1. Business objectives, goals, and compliance obligations regarding information security in the planning and purchasing of ICT-related products;
2. Information risks include:
– The acquisition company’s dependence on providers complicates its business continuity arrangements (resilience and recovery);
– Access and protection of information assets of second and third parties physically and logically;
– Establishing a secure environment based on extended trust with shared responsibility;
The creation of shared responsibility for complying with pertinent laws, standards, contracts, and other engagements;
– Coordinating the adaption or modification of information-security requirements between the supplier and acquirer;
– … and much more.
3. Information security controls that include:
– In this context, relationship management involves overseeing the entire relationship life cycle;
– Strategic analysis, preparation of business cases, invitations to tender, etc., keeping in mind costs, risks, and benefits of managing information security;
– The establishment of shared strategic goals between the acquirer and the provider in areas such as information security (such as a jointly-owned relationship strategy);
– Inclusion of important information security requirements (i.e., requiring suppliers to be certified compliant with ISO/IEC 27001 or to use standards like ISO27k) within contracts, Service Level Agreements, etc.;
– Security management techniques, like those that are jointly developed and maintained, for instance, security analysis, identity and access management, incident management, business continuity planning;
– Special controls designed to mitigate unique risks (implementing tests and fallback agreements at the transition/implementation stage when an outsourcing supplier provides services for the first time);
– Security logs, audit records, and forensic evidence should be owned, accountable, and responsible for the protection of valuable information assets;
– Audit rights and other compliance/assurance controls, along with penalties or liabilities for non-compliance, or bonuses for full compliance;
– … plus much more.
4. Understanding the entire relationship lifecycle:
– Initiation – feasibility study, cost-benefit analysis, consideration of in-house versus outsourced options as well as hybrid or variant approaches as co-sourcing;
– Identification of requirements, including, of course, information security requirements;
– Purchasing, which includes choosing, evaluating, and contacting suppliers;
The implementation of new supply arrangements, accompanied by significant risks;
– Operational aspects including routine relationship management, compliance, incidents and changes, monitoring, etc.;
– Refresh – The option to renew the agreement, which might include reviewing the contract terms and conditions, handling issues, working procedures, etc.;
– Termination and exit, as in concluding the business relationship in a controlled manner, possibly leading back to step 1.

ISO/IEC 27036-1:2014 — Information security for supplier relationships — Part 1: Overview & Concepts [Free]

Scope & objectives: part 1 provides an overview of all topics covered by this standard, providing background information as well as key terms and concepts related to information security in supplier relationships, such as those regarding information technology, healthcare, janitorial services, consulting services, research and development partnerships, outsourced applications (ASPs), or cloud-based services (for example, software, platforms, and infrastructure).”

A set of information risks are outlined which may arise directly or indirectly from an acquisition or supplier relationship when the acquired good or service contains information, or when the provider gains access to the acquirer’s confidential information.

Interestingly, in part 1, acquirers do not explicitly refer to the converse situation – that is, suppliers’ internal information being accessed by acquirers – but are noted in part 2. Essentially, the standard is written from the perspective of the acquiring company addressing the security concerns the acquiring company should have when forming relationships with suppliers.

Status: Available for free download on the ITTF website since 2014.

Eventually, this standard will be Cybersecurity — Supplier relationships — Part 1: Overview and concepts. As of now, it is at the FDIS stage but may be published by the end of 2021 or 2022.

ISO/IEC 27036-2:2014 — Information security for supplier relationships — Part 2: Requirements

Scope & objectives: part 2 explains the information security requirements about business relationships between vendors and customers (both products and services). Getting a common understanding of information risks allows them to treat them in a mutually satisfying way.

In the introduction, ISO/IEC 27036 Part 2 explicitly states that it is not intended for certification purposes, despite its title and content containing “Requirements” and “Shall” [terms usually reserved for ISO documents].

The recommendations in part 2 cover a variety of governance and business management issues (e.g. operational management, human resource management, IT deployment, relationship management, metrics) and information security management issues (such as risk analysis and management, control specifications, architecture and design, strategy, etc.).

The presumptions, style, structure, depth, breadth, rigour, and documentation requirements outlined in part 2, would be excessively burdensome in the case of commodity sources, however, they might be appropriate for those requiring high levels of information security (for example, defence procurement of classified ICT systems and services or private enterprises procuring safety- and business-critical ICT systems and services that use cloud computing for core business functions, including consulting, legal, and HR services). In any event, the standard provides a useful checklist for considering information security in most, if not all, business interactions.

Status: In print since 2014.

As a result of changes in ISO/IEC 15288, Part 2 is being revised. At this point, the standard is in Committee Draft form. It is scheduled for publication in 2023 but may appear earlier.

Commentary: Even though this is not meant to be a formally-specified standard with mandatory certification requirements, stating in part: “The following minimum activities shall be executed by the acquirer to meet the objective defined at [a particular clause]” obviously gives little latitude to organisations in interpreting, adapting, and applying the standard to their particular business circumstances.

The standard note does not fully resolve the conundrum:

”Note: Each of the forms of expression in this document needs to be correctly understood by the viewer (for example, “shall”, “shall not”, “should” and “shouldn’t”) as either specification to be met or recommendations with a certain degree of flexibility.

In terms of how much ‘choice’ can be had by suppliers and acquirers in how this standard is interpreted, applied, and complied with, it depends on the business and legal arrangements in place. Lawyers often rub their hands together when contracts lack explicit and binding terms.

ISO/IEC 27036-3:2013 — Information security for supplier relationships — Part 3:- Guidelines for ICT supply chain security

Scope & objectives: This part of the standard includes guidelines for suppliers and acquirers of ICT goods and services on information risk management relating to this complex and widely dispersed supply chain, covering both organization risks and malware risks, as well as integrating risk management into system and software lifecycles, following ISO/IEC 15288, 12207 and 27002.

Business continuity is not included in this part of ISO/IEC 27036. Specifically, it pertains to ICT products.

Content: Part 3 discusses a broad range of information security controls, which include: the chain of custody; the least privilege access model; the separation of duties; the use of evidence; the application of persistent mitigation; compliance management; code assessment and verification; security training; vulnerability identification and mitigation; defining security expectations; protecting intellectual property; avoiding grey markets; anonymous acquisition processes; passing security requirements upstream; quality management; human resource management; project management; supplier and relationship management; information security requirements (critical security requirements should be part of every requirements analysis); configuration and change management; information management; security design and architecture; Implementation and transition of ICTs; Integrating ICTs;
Testing and verification of ICT systems (e.g. security and penetration testing, vulnerability scans, stress tests, compliance checks); malware protection; and managing, maintaining, and discarding ICT equipment.
In general terms, ISO/IEC 27002 covers most of them. ISO/IEC 27036-3 guides ICT supplies in a specific context. In an annexe, there is a breakdown of the clauses deemed comparable in ISO/IEC 15288 and ISO/IEC 12207, and another identifies similar clauses in ISO/IEC 27002.

Status: Published in 2013.

ISO/IEC 27036–4:2016 — Information security for supplier relationships — Part 4: Security guidelines for cloud services

Scope & objectives: part 4 provides guidance on information security for cloud service vendors and consumers.

The purpose is to guide cloud customers and cloud service providers when implementing cloud services
a) Identifying and addressing the risks associated with the use of cloud services, managing them, and
b) devoting resources to addressing specific risks inherent in the acquisition or provision of cloud services to implement information security.

The standard does not cover issues related to business continuity and resilience of cloud services. Business continuity is addressed in ISO/IEC 27031. Information security principles and practices are not specified in the standard for cloud service providers. ISO/IEC 27002 and ISO/IEC 27017 guide these topics. This standard serves as a guide to assist in securing cloud services per information security management principles.

Status: Available online since 2016.

Commentary: part 4 specifically identifies the information risks the standard addresses. Well done!

The revision of ISO/IEC 27036

A revision of this multipart standard is currently in progress. To align the set with ISO/IEC 15288 (IT lifecycles), the set should be revised to improve internal consistency. The standards are so ICT-centric that they hardly mention anything other than ICT-based goods and services, regardless of whether or not they have significant data components and hence significant risks (for example, legal advice, accounting, consulting).