ISO/IEC 27036
Go home

 

 

Sponsor this page!

 

Contact us to advertise your business here.

 

ISO/IEC 27036 — IT Security — Security techniques — Information security for supplier relationships (DRAFT)

Scope

ISO/IEC 27036 will be a multi-part standard offering guidance on the evaluation and mitigation of security risks involved in the procurement and use of information or IT-related services supplied by other organizations.  It is planned to cover the following broad areas:

  • Strategic goals, objectives and business needs in relation to information security;
  • Information security risks and mitigation techniques;
  • Provision of assurance (and presumably compliance with contractual obligations etc.).

This standard may include the information security aspects of cloud computing - see the note on part 5 below.

Information security risks to be addressed by the standard

Information security risks associated with outsourcing information-related processes include:

  • Making the organization to some extent reliant on the external providers, complicating business continuity arrangements (both resilience and recovery);
  • Creating an ‘extended trust’ environment with shared responsibilities for information security;
  • Creating a shared responsibility for compliance with information security policies, standards, laws, regulations, contracts and other commitments/obligations;
  • Coordinating with the supplier/s to adapt to new/changed information security requirements;
  • ... and more [this is not a complete list - if there are further information security risks you think should be covered, please raise and discuss them on the ISO27k Forum].

Information security controls to be addressed by the standard

The controls outlined in sections 6.2 and 10.2 of ISO/IEC 27002:2005 do not cover the security of outsourcing comprehensively from a risk management perspective, especially where multiple outsourcing services providers are used or where providers change part-way through a contractual period.

The COSO framework may be helpful, plus other frameworks such as COBIT and ITIL/ISO 20000.

Recommended information security controls may include:

  • Relationship management controls covering the entire lifecycle of the relationships with external suppliers (see below);
  • Preliminary analysis, preparation of a sound business case, Invitation To Tender etc., taking into account the risks, controls, costs and benefits associated with maintaining adequate information security, not just the general business requirements for outsourcing;
  • Creation of explicit shared strategic goals to align customer and service provider on information security and other aspects (e.g. a jointly-owned ‘relationship strategy’);
  • Formal specification of important information security aspects (such as certified compliance with ISO/IEC 27001, compliance with ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27036 etc.) in contracts, Service Level Agreements etc.;
  • Security management procedures, including those that may be jointly developed and operated such as risk analysis, security design, identity and access management, incident management and business continuity;
  • Special controls to cater for unique risks such as testing and fallback arrangements associated with the transition/implementation stage when the supplier first takes up the information processes;
  • Clear ownership, accountability and responsibility for the protection of valuable information assets, including security logs, audit records and forensic evidence;
  • A ‘right of audit’ and other compliance controls, with penalties or liabilities in case of identified non-compliance, or bonuses for full compliance;
  • ... and more [this is not a complete list - if there are further information security controls you think should be covered, please raise and discuss them on the ISO27k Forum].

Potentially the standard may cover the whole ‘outsourcing lifecycle’ namely:

  1. Initiation - scoping, business case/cost-benefit analysis, comparison of insource versus outsource options as well as variant or hybrid approaches such as cosourcing;
  2. Definition of outsourcing requirements including the information security requirements;
  3. Procurement including selecting, evaluating and contracting with the service provider/s;
  4. Transition to or implementation of the outsourcing arrangements, including any special controls needed to mitigate enhanced risks around the implementation period;
  5. Operation including aspects such as routine relationship management, compliance, incident and change management etc.;
  6. Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes etc.;
  7. Termination and exit i.e. exiting from an outsourcing relationship that has run its course in a controlled manner, perhaps leading back into step 1 to outsource again or bringing the services back in-house (insourcing).

”Outsourcing” in this context is not limited to ICT outsourcing but includes other forms such as outsourcing of HR, facilities management and other information-centric business processes having information security implications.

Status of the standard

Parts 1 and 2 of the standard are currently at WD stage, with release anticipated around the middle of 2012.  This might be possible for the part 1 overview but the rest will probably take longer, although there is pressure to release a cloud security standard as soon as practicable.  Several national bodies are actively engaged in developing the standard, and input has been received from the Information Security Forum in the form of their document “Information security for external suppliers: A common baseline”.

ISO/IEC 27036-1 - Overview and concepts

An updated working draft of Part 1 has been released to SC27.  The working title is “Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts”.  There are several gaps awaiting further input.

ISO/IEC 27036-2 - Generic requirements

”[P]art 2 specifies generic information security requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving supplier relationships within the context of the acquirer’s overall business risks and from perspectives of both acquirer and supplier.  There [The] requirements will serve as a baseline for creating and managing individual supplier relationships agreement[s] from an information security perspective, and can differ for different types of outsourcing. ... Outsourced products or services in the context of ISO/IEC 27036 standard part 2 cover manufacturing or assembly, business process outsourcing, knowledge process outsourcing or other outsourcing models such as Build-Operate-Transfer and cloud services.” [Quoted from the 1st WD]

The first Working Draft has been released to SC27 for comment. 

ISO/IEC 27036-3 - Information and communication technology supply chain risk management

This part will cover risk management aspects for the entire ICT supply chain (supply network might be a more accurate term), covering hardware, software and services from the perspectives of suppliers and customers (‘acquirers’).  It will cover global and geographically diverse suppliers, and cover integration of risk management with system and software lifecycle processes, drawing on ISO/IEC 15288, 12207 and 27002.

The first Working Draft has been released to SC27 for comment.  It is in good shape for such an early stage which bodes well for this project.

ISO/IEC 27036-4 - Outsourcing

?

ISO/IEC 27036-5 - Cloud Computing 

Cloud computing can potentially be viewed as the outsourcing of information processing to external suppliers operating ‘in the cloud’.  However, it is currently unclear whether the cloud computing standards work will create ISO/IEC 27036-5, a separately numbered 3-part standard, or both.  Watch this space!

ISO/IEC 27036-6 - ??

Title and co-editor not yet determined.

Copyright © 2012 IsecT Ltd.