1、BSI Standards Publication BS ISO/IEC 27036-1:2014 Information technology Security techniques Information security for supplier relationships Part 1: Overview and conceptsBS ISO/IEC 27036-1:2014 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 27036-1:2014.
2、 The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract.
3、Users are responsible for its correct application. The British Standards Institution 2014. Published by BSI Standards Limited 2014 ISBN 978 0 580 75943 7 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authori
4、ty of the Standards Policy and Strategy Committee on 30 April 2014. Amendments issued since publication Date Text affectedBS ISO/IEC 27036-1:2014 Information technology Security techniques Information security for supplier relationships Part 1: Overview and concepts Technologies de linformation Tech
5、niques de scurit Scurit dinformation pour la relation avec le fournisseur Partie 1: Aperu gnral et concepts ISO/IEC 2014 INTERNATIONAL STANDARD ISO/IEC 27036-1 First edition 2014-04-01 Reference number ISO/IEC 27036-1:2014(E)BS ISO/IEC 27036-1:2014ISO/IEC 27036-1:2014(E)ii ISO/IEC 2014 All rights re
6、served COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2014 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prio
7、r written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzer
8、landBS ISO/IEC 27036-1:2014ISO/IEC 27036-1:2014(E) ISO/IEC 2014 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols and abbreviated terms . 3 5 Pr oblem definition and k e y c onc epts . 4 5.1 Motives for establ
9、ishing supplier relationships . 4 5.2 Types of supplier relationships 4 5.3 Information security risks in supplier relationships and associated threats . 6 5.4 Managing information security risks in supplier relationships . 9 5.5 ICT supply chain considerations 9 6 Overall ISO/IEC 27036 structure an
10、d overview 10 6.1 Purpose and Structure 10 6.2 Overview of Part 1: Overview and concepts .11 6.3 Overview of Part 2: Requirements 11 6.4 Overview of Part 3: Guidelines for Information and Communication Technology (ICT) supply chain security 11 6.5 Overview of Part 4: Guidelines for security of cloud
11、 services .11 Bibliography .13BS ISO/IEC 27036-1:2014ISO/IEC 27036-1:2014(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or
12、 IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, g
13、overnmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives
14、, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the nati
15、onal bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27036-1 was prepared by Joint Technical Committee ISO/IEC
16、 JTC 1, Information technology, Subcommittee SC 27, Security techniques. ISO/IEC 27036 consists of the following parts, under the general title Information technology Security techniques Information security for supplier relationships: Part 1: Overview and concepts Part 2: Requirements Part 3: Guide
17、lines for information and communication technology supply chain security Part 4: Guidelines for security of cloud servicesiv ISO/IEC 2014 All rights reservedBS ISO/IEC 27036-1:2014ISO/IEC 27036-1:2014(E) Introduction Most (if not all) organizations around the world, whatever their size or domains of
18、 activities, have relationships with suppliers of different kinds that deliver products or services. Such suppliers can have either a direct or indirect access to the information and information systems of the acquirer, or will provide elements (software, hardware, processes, or human resources) tha
19、t will be involved in information processing. Acquirers can also have physical and/or logical access to the information of the supplier when they control or monitor production and delivery processes of the supplier. Thus, acquirers and suppliers can cause information security risks to each other. Th
20、ese risks need to be assessed and treated by both acquirer and supplier organizations through appropriate management of information security and the implementation of relevant controls. In many instances, organizations have adopted the International Standards of ISO/IEC 27001 and/or ISO/IEC 27002 fo
21、r the management of their information security. Such International Standards should also be adopted in managing supplier relationships in order to effectively control the information security risks inherent in those relationships. This International Standard provides further detailed implementation
22、guidance on the controls dealing with supplier relationships that are described as general recommendations in ISO/IEC 27002. Supplier relationships in the context of this International Standard include any supplier relationship that can have information security implications, e.g. information techno
23、logy, healthcare services, janitorial services, consulting services, R Note 2 to entry was added. 3.12 system combination of interacting elements organized to achieve one or more stated purposes Note 1 to entry: A system can be considered as a product or as the services it provides. Note 2 to entry:
24、 In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun, e.g. aircraft system. Alternatively, the word “system” can be substituted simply by a context-dependent synonym, e.g. aircraft, though this can then obscure a system principles perspective. SOU
25、RCE: ISO/IEC 15288:2008, 4.31 3.13 trust relationship between two entities and/or elements, consisting of a set of activities and a security policy in which element x trusts element y if and only if x has confidence that y will behave in a well-defined way (with respect to the activities) that does
26、not violate the given security policy SOURCE: ISO/IEC 13888-1:2009, 3.59, modified The note was removed. 3.14 upstream handling processes and movements of products and services that occur before an entity in the supply chain takes custody of the products and responsibility for information and commun
27、ication technology (ICT) services SOURCE: ISO 28001:2007, 3.27, modified The word “goods” was replaced by “products and services”, and the definition was changed to better reflect this change in focus. 3.15 visibility property of a system or process that enables system elements and processes to be d
28、ocumented and available for monitoring and inspection 4 Symbols and abbreviated terms The following symbols and abbreviated terms are used in this International Standard: API Application Programming Interface ASP Application Service Provider BCP Business Continuity Plan(ning) BPaaS Business Process
29、as a Service ISO/IEC 2014 All rights reserved 3BS ISO/IEC 27036-1:2014ISO/IEC 27036-1:2014(E) IaaS Infrastructure as a Service ICT Information and Communication Technology PaaS Platform as a Service R&D Research & Development SaaS Software as a Service 5 Pr oblem definition and k e y c onc epts 5.1
30、Motives for establishing supplier relationships Organizations often choose to form and/or retain supplier relationships for a variety of business reasons to take advantage of the benefits they can provide. The following summarizes potential motivations for establishing a supplier relationship: a) Fo
31、cusing internal resources on core business functions which can result in a cost reduction and improved return on investment (e.g. outsourcing ICT services). b) Acquiring a short-term or highly specialized competency that an organization does not already possess (e.g., hiring an advertising firm) to
32、achieve certain business objectives. c) Acquiring a utility or basic service that is common or readily available (e.g. electric power and telecommunications) that cannot efficiently be provided by the organization. d) Enabling business operations in a different geographical location. e) Acquiring ne
33、w or replacement ICT equipment or services (e.g. laptops, printers, servers, routers, software applications, storage capacity, network connectivity, ICT managing services etc.) that enable workforce productivity and other business computing needs. Suppliers can provide a multitude of products or ser
34、vices, including IT outsourcing, professional services, basic utilities (equipment maintenance service, security guards service, cleaning and delivering services etc.), cloud computing services, information and communication technology (ICT), knowledge management, R&D, manufacturing, logistics, heal
35、th care services, Internet services, and many others. 5.2 Types of supplier relationships 5.2.1 Supplier relationships for products When an acquirer enters a supplier relationship for products, it typically purchases products with agreed specifications for a predetermined period for manufacturing th
36、e acquirers products. The supplier can have access to the acquirers information when delivering and supporting the product which can result in information security risks to the acquirers information. Failures to fulfil requirements, software vulnerabilities and malfunctions of products and inadverte
37、nt release of sensitive information can also cause information security risks to the acquirer. To manage these information security risks, the acquirer may wish to control suppliers access to the acquirers information. The acquirer may also wish to control elements of the suppliers production proces
38、ses to maintain quality of the products and to reduce information security risks derived from vulnerabilities, malfunctions or other failures to fulfil requirements. This, in turn, can pose information security risks to the supplier because the acquirer can have access to the suppliers information when controlling elements of the suppliers processes. Further, the acquirer may wish to have assurances regarding the specification of products, by monitoring or auditing of the production processes or requiring the supplier to obtain an independent certification 4 ISO/IEC 2014 All rights reserved
