ISO/IEC 27036 — IT Security — Security techniques — Information security for supplier relationships (DRAFT)

Scope

ISO/IEC 27036 will be a multi-part standard offering guidance on the evaluation and mitigation of security risks involved in the acquisition and use of information or ICT-related services from other organizations.  It is planned to cover the following broad areas:

• Strategic goals, objectives and business needs in relation to information security;
• Information security risks and mitigation techniques;
• Provision of assurance (and presumably compliance with contractual obligations etc.).

This standard may cover information security risks relating to the supplier relations part of cloud computing.

Information security risks to be addressed by the standard

Information security risks associated with outsourcing information-related processes include:

• Making the organization to some extent reliant on the external providers, complicating business continuity arrangements (both resilience and recovery);
• Creating an ‘extended trust’ environment with shared responsibilities for information security;
• Creating a shared responsibility for compliance with information security policies, standards, laws, regulations, contracts and other commitments/obligations;
• Coordinating with the supplier/s to adapt to new/changed information security requirements;
• ... and more.

Information security controls to be addressed by the standard

The controls outlined in sections 6.2 and 10.2 of ISO/IEC 27002:2005 do not cover the security of outsourcing comprehensively from a risk management perspective, especially where multiple outsourcing services providers are used or where providers change part-way through a contractual period.

The COSO framework may be helpful, plus other frameworks such as COBIT, ITIL and ISO 20000.

Recommended information security controls may include:

• Relationship management controls covering the entire lifecycle of the relationships with external suppliers (see below);
• Preliminary analysis, preparation of a sound business case, Invitation To Tender etc., taking into account the risks, controls, costs and benefits associated with maintaining adequate information security, not just the general business requirements for outsourcing;
• Creation of explicit shared strategic goals to align customer and service provider on information security and other aspects (e.g. a jointly-owned ‘relationship strategy’);
• Formal specification of important information security aspects (such as certified compliance with ISO/IEC 27001, compliance with ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27036 etc.) in contracts, Service Level Agreements etc.;
• Security management procedures, including those that may be jointly developed and operated such as risk analysis, security design, identity and access management, incident management and business continuity;
• Special controls to cater for unique risks such as testing and fallback arrangements associated with the transition/implementation stage when the supplier first takes up the information processes;
• Clear ownership, accountability and responsibility for the protection of valuable information assets, including security logs, audit records and forensic evidence;
• A ‘right of audit’ and other compliance controls, with penalties or liabilities in case of identified non-compliance, or bonuses for full compliance;
• ... and more.

Potentially the standard may cover the whole ‘outsourcing lifecycle’ namely:

1. Initiation - scoping, business case/cost-benefit analysis, comparison of insource versus outsource options as well as variant or hybrid approaches such as cosourcing;
2. Definition of outsourcing requirements including the information security requirements;
3. Procurement including selecting, evaluating and contracting with the service provider/s;
4. Transition to or implementation of the outsourcing arrangements, including any special controls needed to mitigate enhanced risks around the implementation period;
5. Operation including aspects such as routine relationship management, compliance, incident and change management etc.;
6. Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes etc.;
7. Termination and exit i.e. exiting from an outsourcing relationship that has run its course in a controlled manner, perhaps leading back into step 1 to outsource again or bringing the services back in-house (insourcing).

”Outsourcing” in this context is not limited to ICT outsourcing but includes other forms such as outsourcing of HR, facilities management and other information-centric business processes having information security implications.

Note: whereas it was initially planned to have 5 parts, there are currently just the following 4.

ISO/IEC 27036-1: Overview and concepts (DIS)

Scope & purpose: part 1 introduces all parts of this standard, providing general background information and introducing the key terms and concepts in relation to information security in supplier-customer relationships.  It outlines a number of information security risks commonly arising from or relating to business relationships between customers (or rather ‘acquirers’) and suppliers.

 Status: nearly ready to publish.

ISO/IEC 27036-2: Requirements (DIS)

Scope & purpose: ”Part 2 specifies generic information security requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving supplier relationships within the context of the acquirer’s overall business risks and from perspectives of both acquirer and supplier.  There [The] requirements will serve as a baseline for creating and managing individual supplier relationships agreement[s] from an information security perspective, and can differ for different types of outsourcing. ... Outsourced products or services in the context of ISO/IEC 27036 standard part 2 cover manufacturing or assembly, business process outsourcing, knowledge process outsourcing or other outsourcing models such as Build-Operate-Transfer and cloud services.” [Quoted from the 1^st WD]

“ISO/IEC 27036 Part 2:

a) Specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships;

b) Facilitates to understand each other’s approach to information security and tolerance for information security risks;

c) Reflects the complexity of managing risks that can have information security impacts in supplier and acquirer relationships;

d) Is intended to be used by any organisation willing to evaluate the information security in supplier or acquirer relationships;

e) Is not intended for certification purposes” [despite having “Requirements” in the title]

 Status: nearly ready to publish.  New title.

ISO/IEC 27036-3: Guidelines for ICT supply chain security (DIS)

Scope & purpose: part 3 will cover the risk management aspects of the entire ICT (information and communications technology) supply chain* covering hardware, software and services from the perspectives of suppliers and customers (‘acquirers’).  It will cover global and geographically diverse suppliers, and cover integration of risk management with system and software lifecycle processes, drawing on ISO/IEC 15288, 12207 and 27002.

* Supply network might be a more technically accurate term, since ‘chain’ implies a linear sequence.

“ISO/IEC 27036 Part 3 provides guidelines to the acquirer and the supplier for managing information security risks specific to the ICT products and services supply chain.”

 Status: nearly ready to publish.

ISO/IEC 27036–4: Guidelines for security of cloud services (draft)

Cloud computing can be viewed as the outsourcing of information processing to external suppliers operating ‘in the cloud’.  However, it is not certain whether the cloud computing standards work by SC27 will create ISO/IEC 27036-4, a separate 3-part cloud information security standard, or both. 

Scope & purpose: part 4 will provide “guidelines for information security of cloud services throughout the supply chain from the perspective of both the acquirer and supplier of such services.  Specifically, it involves gaining visibility into and managing the information security risks associated with cloud services throughout the lifecycle.”

Alternatively, part 4 will provide “guidelines to the acquirer and the supplier for managing information security risks specific to the cloud services.”

Status: a draft is available to SC27.