1、BSI Standards Publication BS ISO/IEC 27036-3:2013 Information technology Security techniques Information security for supplier relationships Part 3: Guidelines for information and communication technology supply chain securityBS ISO/IEC 27036-3:2013 BRITISH STANDARD National foreword This British St
2、andard is the UK implementation of ISO/IEC 27036-3:2013. The UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport
3、 to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2013. Published by BSI Standards Limited 2013 ISBN 978 0 580 76090 7 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligation
4、s. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 November 2013. Amendments issued since publication Date Text affectedBS ISO/IEC 27036-3:2013 Information technology Security techniques Information security for supplier relationships Part
5、 3: Guidelines for information and communication technology supply chain security Technologies de linformation Techniques de scurit Scurit dinformation pour la relation avec le fournisseur Partie 3: Lignes directrices pour la scurit de la chane de fourniture des technologies de la communication et d
6、e linformation ISO/IEC 2013 INTERNATIONAL STANDARD ISO/IEC 27036-3 First edition 2013-11-15 Reference number ISO/IEC 27036-3:2013(E)BS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E)ii ISO/IEC 2013 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specif
7、ied, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO
8、s member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E) ISO/IEC 2013 All rights reserved iii Conte
9、nts Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Structure of this standard . 2 5 Key concepts . 2 5.1 Business case for ICT supply chain security 2 5.2 ICT supply chain risks and associated threats . 3 5.3 Acquirer and supplier relationship typ
10、es 3 5.4 Organizational capability . 4 5.5 System lifecycle processes 4 5.6 ISMS processes in relation to system lifecycle processes 5 5.7 ISMS information security controls in relation to ICT supply chain security . 5 5.8 Essential ICT supply chain security practices 5 6 ICT supply chain security i
11、n Lifecycle Processes 7 6.1 Agreement Processes 7 6.2 Organizational Project-Enabling Processes 10 6.3 Project Processes .13 6.4 Technical Processes .15 Annex A (informative) Summary of Supply and Acquisition Processes from ISO/IEC 15288 and ISO/IEC 12207 24 Annex B (informative) Clause 6 mapping to
12、 ISO/IEC 27002 .35 Bibliography .37BS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of I
13、SO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizatio
14、ns, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Direc
15、tives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the
16、 national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27036-3 was prepared by Joint Technical Committee IS
17、O/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 27036 consists of the following parts, under the general title Information technology Security techniques Information security for supplier relationships: Part 1: Overview and concepts Part 2: Requirements Part
18、3: Guidelines for information and communication technology supply chain security The following part is under preparation: Part 4: Guidelines for security of cloud services.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E) Introduction Information and Communication Tec
19、hnology (ICT) products and services are developed, integrated, and delivered globally through deep and physically dispersed supply chains. ICT products are assembled from many components provided by many suppliers. ICT services throughout the entire supplier relationship are also delivered through m
20、ultiple tiers of outsourcing and supply chaining. Acquirers do not have visibility into the practices of hardware, software, and service providers beyond first or possibly second link of the supply chain. With the substantial increase in the number of organizations and people who “touch” an ICT prod
21、uct or service, the visibility into the practices by which these products and services are put together has decreased dramatically. This lack of visibility, transparency, and traceability into the ICT supply chain poses risks to acquiring organizations. This standard provides guidance to ICT product
22、 and service acquirers and suppliers to reduce or manage information security risk. This standard identifies the business case for ICT supply chain security, specific risks and relationship types as well as how to develop an organizational capability to manage information security aspects and incorp
23、orate a lifecycle approach to manage risks supported by specific controls and practices. Its application is expected to result in: Increased ICT supply chain visibility and traceability to enhance information security capability; Increased understanding by the acquirers of where their products or se
24、rvices are coming from, and of the practices used to develop, integrate, or operate these products or services, to enhance the implementation of information security requirements; In case of an information security compromise, the availability of information about what may have been compromised and
25、who the involved actors may be. This international standard is intended to be used by all types of organizations that acquire or supply ICT products and services in the ICT supply chain. The guidance is primarily focused on the initial link of the first acquirer and supplier, but the principle steps
26、 should be applied throughout the chain, starting when the first supplier changes its role to being an acquirer and so on. This change of roles and applying the same steps for each new acquirer-supplier link in the chain is the essential intention of the standard. By following this international sta
27、ndard, information security implications can be communicated among organizations in the chain. This helps identifying information security risks and their causes and may enhance the transparency throughout the chain. Information security concerns related to supplier relationships cover a broad range
28、 of scenarios. Organizations desiring to improve trust within their ICT supply chain should define their trust boundaries, evaluate the risk associated with their supply chain activities, and then define and implement appropriate risk identification and mitigation techniques to reduce the risk of vu
29、lnerabilities being introduced through their ICT supply chain. ISO/IEC 27001 and ISO/IEC 27002 framework and controls provide a useful starting point for identifying appropriate requirements for acquirers and suppliers. ISO/IEC 27036 provides further detail regarding specific requirements to be used
30、 in establishing and monitoring supplier relationships. ISO/IEC 2013 All rights reserved vBS ISO/IEC 27036-3:2013BS ISO/IEC 27036-3:2013Information technology Security techniques Information security for supplier relationships Part 3: Guidelines for information and communication technology supply ch
31、ain security 1 Scope This part of ISO/IEC 27036 provides product and service acquirers and suppliers in ICT supply chain with guidance on: a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered ICT supply chains; b) responding to risks
32、 stemming from the global ICT supply chain to ICT products and services that can have an information security impact on the organizations using these products and services. These risks can be related to organizational as well as technical aspects (e.g. insertion of malicious code or presence of the
33、counterfeit information technology (IT) products); c) integrating information security processes and practices into the system and software lifecycle processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security controls, described in ISO/IEC 27002. This part of ISO/
34、IEC 27036 does not include business continuity management/resiliency issues involved with the ICT supply chain. ISO/IEC 27031 addresses business continuity. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its
35、application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary ISO/I
36、EC 27036-1, Information technology Security techniques Information security for supplier relationships Part 1: Overview and concepts ISO/IEC 27036-2, Information technology Security techniques Information security for supplier relationships Part 2: Requirements 3 T erms a nd definiti ons For the pur
37、poses of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27036-1 and the following apply. 3.1 reliability property of a system and its parts to perform its mission accurately and without failure or significant degradation INTERNATIONAL ST ANDARD ISO/IEC 27036-3:2013(E) ISO/I
38、EC 2013 All rights reserved 1BS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E) 3.2 system element member of a set of elements that constitutes a system Note 1 to entry: A system element is a discrete part of a system that can be implemented to fulfil specified requirements. A system element can be hard
39、ware, software, data, humans, processes (e.g. processes for providing required functionality to users), procedures (e.g. operator instructions), facilities, materials, and naturally occurring entities (e.g. water, organisms, minerals), or any combination. SOURCE: ISO/IEC 15288:2008, definition 4.32
40、3.3 transparency property of a system or process to imply openness and accountability 3.4 traceability property that allows the tracking of the activity of an identity, process, or an element throughout the supply chain 3.5 validation confirmation, through the provision of objective evidence, that t
41、he requirements for a specific intended use or application have been fulfilled Note 1 to entry: Validation is the set of activities ensuring and gaining confidence that a system is able to accomplish its intended use, goals and objectives (i.e. meet stakeholder requirements) in the intended operatio
42、nal environment. SOURCE: ISO/IEC 15288:2008, definition 4.37 3.6 ve r i f ic at ion confirmation, through the provision of objective evidence, that specified requirements have been fulfilled Note 1 to entry: Verification is a set of activities that compares a system or system element against the req
43、uired characteristics. This may include, but is not limited to, specified requirements, design description and the system itself. SOURCE: ISO/IEC 15288:2008, definition 4.38 4 Structure of this standard This standard is structured to be harmonized with ISO/IEC 15288 and ISO/IEC 12207. Clause 6 mirro
44、rs lifecycle processes provided in those two standards. This standard is also harmonized with ISO/IEC 27002 and references relevant information security controls within the lifecycle processes with the mapping provided in Annex B. The documents named in this standard are generic and do not need to b
45、e elaborate or separate documents. Organizations should use existing documents to integrate ICT supply chain security. 5 Key concepts 5.1 Business case for ICT supply chain security Organizations acquire ICT products and services from numerous suppliers who may in turn acquire components from other
46、suppliers. The information security risks associated with these dispersed and multi-layered ICT supply chains can be managed through the application of risk management practices and trusted relationships, thereby increasing visibility, traceability and transparency in the ICT supply chain. For examp
47、le, increased visibility into the ICT supply chain is obtained by defining adequate information security and quality requirements, and ongoing monitoring of suppliers and their products and services 2 ISO/IEC 2013 All rights reservedBS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E) once a supplier rela
48、tionship is in operation. Identifying and tracking individuals accountable for quality and security for critical elements provides greater traceability. Establishing contractual requirements and expectations, as well as reviewing processes and practices provides much needed transparency. Acquirers s
49、hould establish an understanding within their organizations regarding the ICT supply chain risks and their possible impacts on businesses. Specifically, acquirers management should be aware that practices of suppliers throughout the supply chain can have impacts on whether resulting products and services can be trusted to protect acquirers business, information, and information systems. 5.2 ICT supply chain risks and associated threats In a supply chain, information security management o