1、BSI Standards Publication BS ISO/IEC 27036-2:2014 Information technology Security techniques Information security for supplier relationships Part 2: RequirementsBS ISO/IEC 27036-2:2014 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 27036-2:2014. The UK p
2、articipation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are
3、 responsible for its correct application. The British Standards Institution 2014. Published by BSI Standards Limited 2014 ISBN 978 0 580 76089 1 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the
4、 Standards Policy and Strategy Committee on 31 July 2014. Amendments issued since publication Date Text affectedBS ISO/IEC 27036-2:2014 Information technology Security techniques Information security for supplier relationships Part 2: Requirements Technologies de linformation Techniques de scurit Sc
5、urit dinformation pour la relation avec le fournisseur Partie 2: Exigences ISO/IEC 2014 INTERNATIONAL STANDARD ISO/IEC 27036-2 First edition 2014-08-01 Reference number ISO/IEC 27036-2:2014(E)BS ISO/IEC 27036-2:2014ISO/IEC 27036-2:2014(E)ii ISO/IEC 2014 All rights reserved COPYRIGHT PROTECTED DOCUME
6、NT ISO/IEC 2014 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission
7、can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/IEC 27036-2:2014ISO/IE
8、C 27036-2:2014(E) ISO/IEC 2014 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols and abbreviated terms . 1 5 Structure of ISO/IEC 27036-2 2 6 Information security in supplier relationship management . 4 6.1 Ag
9、reement processes 4 6.2 Organisational project-enabling processes 7 6.3 Project processes .10 6.4 Technical processes .14 7 Information security in a supplier relationship instance 15 7.1 Supplier relationship planning process15 7.2 Supplier selection process .17 7.3 Supplier relationship agreement
10、process .21 7.4 Supplier relationship management process .24 7.5 Supplier relationship termination process 27 Annex A (informative) Cross-references between ISO/IEC 15288 clauses and ISO/ IEC 27036-2 clauses .30 Annex B (informative) Cross-references between ISO/IEC 27036-2 clauses and ISO/ IEC 2700
11、2 controls 32 Annex C (informative) Objectives from Clauses 6 and 7 34 Bibliography .38BS ISO/IEC 27036-2:2014ISO/IEC 27036-2:2014(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide st
12、andardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields
13、 of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this doc
14、ument and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives,
15、Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the devel
16、opment of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO
17、 specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Infor
18、mation technology, SC 27, IT Security techniques. ISO/IEC 27036 consists of the following parts, under the general title Information technology Security techniques Information security for supplier relationships: Part 1: Overview and concepts Part 2: Requirements Part 3: Guidelines for information a
19、nd communication technology supply chain security The following part is under preparation: Part 4: Guidelines for security of cloud services.iv ISO/IEC 2014 All rights reservedBS ISO/IEC 27036-2:2014ISO/IEC 27036-2:2014(E) Introduction Organizations throughout the world work with suppliers to acquir
20、e products and services. Many organizations establish several supplier relationships to cover a variety of business needs, such as operations or manufacturing. Conversely, suppliers provide products and services to several acquirers. Relationships between acquirers and suppliers established for the
21、purpose of acquiring a variety of products and services may introduce information security risks to both acquirers and suppliers. These risks are caused by mutual access to the other partys assets, such as information and information systems, as well as by the difference in business objectives and i
22、nformation security approaches. These risks should be managed by both acquirers and suppliers. ISO/IEC 27036-2: a) specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships; b) f
23、acilitates mutual understanding of the other partys approach to information security and tolerance for information security risks; c) reflects the complexity of managing risks that can have information security impacts in supplier and acquirer relationships; d) is intended to be used by any organiza
24、tion willing to evaluate the information security in supplier or acquirer relationships; e) is not intended for certification purposes; f) is intended to be used to set a number of defined information security objectives applicable to a supplier and acquirer relationship that is a basis for assuranc
25、e purposes. ISO/IEC 27036-1 provides overview and concepts associated with information security in supplier relationships. ISO/IEC 27036-3 provides guidelines to the acquirer and the supplier for managing information security risks specific to the ICT products and services supply chain. ISO/IEC 2703
26、6-4 (to be published) provides guidelines to the acquirer and the supplier for managing information security risks specific to the cloud services. NOTE The user of this document needs to correctly interpret each of the forms of the expression of provisions (e.g. “shall”, “shall not”, “should” and “s
27、hould not”) as being either requirements to be satisfied or recommendations where there is a certain freedom of choice. ISO/IEC 2014 All rights reserved vBS ISO/IEC 27036-2:2014BS ISO/IEC 27036-2:2014Information technology Security techniques Information security for supplier relationships Part 2: R
28、equirements 1 Scope This part of ISO/IEC 27036 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. These requirements cover any procurement and supply of products and serv
29、ices, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, Build-Operate-Transfer and cloud computing services. These requirements are intended to be applicable to all organizations, regardless of type, size and nature. To
30、meet these requirements, an organization should have already internally implemented a number of foundational processes, or be actively planning to do so. These processes include, but are not limited to, the following: governance, business management, risk management, operational and human resources
31、management, and information security. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the re
32、ferenced document (including any amendments) applies. ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary ISO/IEC 27036-1, Information technology Security techniques Information security for supplier relationships Part 1: Overview
33、 and concepts 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and ISO/IEC 27036- 1 apply. 4 Symbols and abbreviated terms The following symbols (and abbreviated terms) are used in this standard: ASP Application Service Provider BCP Busin
34、ess Continuity Plan DBA Database Administrator INTERNATIONAL ST ANDARD ISO/IEC 27036-2:2014(E) ISO/IEC 2014 All rights reserved 1BS ISO/IEC 27036-2:2014ISO/IEC 27036-2:2014(E) ICT Information and Communication Technology ISMS Information Security Management System ITT Invitation to Tender RFP Reques
35、t for Proposal VoIP Voice over IP 5 Structure of ISO/IEC 27036-2 Clause 6 defines fundamental and high-level information security requirements applicable to the management of several supplier relationships. Any of the processes in Clause 6 can be applied to individual supplier relationships at any p
36、oint in that supplier relationship lifecycle. These requirements are structured according to life cycle processes specified in ISO/IEC 15288. 1These requirements shall be applied by the acquirer and by the supplier to ensure that these organisations are able to manage information security risks resu
37、lting from supplier relationships. NOTE Clause 6 only references the ISO/IEC 15288 life cycle processes that are relevant to information security in supplier relationships. Clause 7 defines fundamental information security requirements applicable to an acquirer and a supplier within a context of a s
38、ingle supplier relationship instance. These requirements are structured given following supplier relationship life cycle processes: a) Supplier relationship planning process; b) Supplier selection process; c) Supplier relationship agreement process; d) Supplier relationship management process; e) Su
39、pplier relationship termination process. Requirements in Clause 7 shall be applied by the acquirer and the supplier involved in a supplier relationship to ensure that these organisations are able to manage relevant information security risks. Figure 1 describes the scope of the fundamental informati
40、on security requirements in connection with processes defined in Clauses 6 and 7:2 ISO/IEC 2014 All rights reservedBS ISO/IEC 27036-2:2014ISO/IEC 27036-2:2014(E)Fundamental and high- level information security requirements for acquirers and suppliers as organizational scheme commonly applicable to i
41、nstances of supplier relationship. 6.2 Organisational project-enabling processes 6.2.1 Life cycle model management process 6.2.2 Infrastructure management process 6.2.3 Project portfolio management process 6.1 Agreement processes 6.1.1 Acquisition process 6.1.2 Supply process Scope 6.2.4 Human resou
42、rce management process Fundamental information security requirements for acquirers and suppliers when establishing and maintaining an instance of supplier relationship. 7.1 Supplier relationship planning process 7.4 Supplier relationship management process 7.2 Supplier selection process 7.3 Supplier
43、 relationship agreement process 7.5 Supplier relationship termination process 6.3 Project processes 6.3.1 Project planning process 6.3.2 Project assessment and control process 6.3.3 Decision management process 6.3.4 Risk management process 6.3.5 Configuration management process 6.3.6 Information man
44、agement process 6.4 Technical processes 6.4.1 Architectural design process 6.3.7 Measurement process 6.2.5 Quality management process F i g u r e 1 S c o p e o f f u n d a m e n t a l i n f o r m a t i o n s e c u r i t y r e q u i r e m e n t s d e f i n e d i n Clauses 6 and 7 ISO/IEC 2014 All rig
45、hts reserved 3BS ISO/IEC 27036-2:2014ISO/IEC 27036-2:2014(E) Text of Clauses 6.1 to 6.4, and of Clauses 7.1 to 7.5 is structured in tables which need to be interpreted as follows: Acquirer Text specific to the acquirer. Supplier Text specific to the supplier. Acquirer Supplier Text specific to both
46、acquirer and supplier, unless explicitly stated. Text specific to the acquirer. Text specific to the supplier. There are three informative annexes. Annex A provides cross-references between clauses of ISO/IEC 15288 that are relevant to supplier relationships and clauses of ISO/IEC 27036-2. Annex B p
47、rovides cross-references between clauses of ISO/IEC 27036-2 and information security controls listed in ISO/IEC 27002 2and that are relevant to supplier relationships. Annex C provides lists of objectives that are stated in Clauses 6 and 7 for the acquirer and supplier. 6 Information security in sup
48、plier relationship management 6.1 Agreement processes Organisations can enter into a variety of supplier relationships. Suitable relationships between acquirers and suppliers are achieved using agreements defining information security roles and responsibilities with respect to the supplier relations
49、hip. The following agreement processes support procurement or supply of a product or service from both strategic and information security perspectives: a) Acquisition process; b) Supply process. 6.1.1 Acquisition process 6.1.1.1 Objective The following objective shall be met by the acquirer for successfully managing information security within the acquisition process: Acquirer a) Establish a supplier relationship strategy that:1) Is based on the information security risk tolerance of the acquirer;2)
