ISO/IEC 27036-2:2014 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships.

These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, Build-Operate-Transfer and cloud computing services.

These requirements are intended to be applicable to all organizations, regardless of type, size and nature.

To meet these requirements, an organization should have already internally implemented a number of foundational processes, or be actively planning to do so. These processes include, but are not limited to, the following: governance, business management, risk management, operational and human resources management, and information security.

Organizations throughout the world work with suppliers to acquire products and services. Many organizations establish several supplier relationships to cover a variety of business needs, such as operations or manufacturing. Conversely, suppliers provide products and services to several acquirers.

Relationships between acquirers and suppliers established for the purpose of acquiring a variety of products and services may introduce information security risks to both acquirers and suppliers. These risks are caused by mutual access to the other party’s assets, such as information and information systems, as well as by the difference in business objectives and information security approaches. These risks should be managed by both acquirers and suppliers.
ISO/IEC 27036-2:
  • a) specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships;
  • b) facilitates mutual understanding of the other party’s approach to information security and tolerance for information security risks;
  • c) reflects the complexity of managing risks that can have information security impacts in supplier and acquirer relationships;
  • d) is intended to be used by any organization willing to evaluate the information security in supplier or acquirer relationships;
  • e) is not intended for certification purposes;
  • f) is intended to be used to set a number of defined information security objectives applicable to a supplier and acquirer relationship that is a basis for assurance purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *