Part 1 outlines a number of information risks commonly arising from or relating to business relationships between acquirers and suppliers, where goods/services acquired have an information content or information security relevance, or where the supplier gains access to the acquirer’s internal information. [The converse situation - i.e. acquirers gaining access to suppliers’ internal information - is not explicitly mentioned in part 1 but is noted in part 2.]

The standard primarily takes the perspective of the acquirer, covering the acquirer’s information security concerns that ought to be addressed in relationships with upstream suppliers. [The supplier’s information risks when supplying downstream customers, or in relationships with partners, are not explicitly covered e.g. disclosure and theft of sensitive intellectual property.]

Within the ISO27k information security standards, the products most obviously covered by ISO/IEC 27036 include:

• IT outsourcing and cloud computing services;

• Other professional services e.g. legal, accounting/tax and HR services, security guards, cleaners, delivery services (couriers), equipment maintenance/servicing, consulting and specialist advisory services, knowledge management, research and development, manufacturing, logistics, source code escrow and healthcare;

• Provision of ICT hardware, software and services including telecommunications and Internet services;

• Bespoke products and services where the acquirer specifies the requirements and may play an active role in the product design and development (as opposed to commodities and standard off-the-shelf products);

• Electricity to power ICT equipment.

The ISO/IEC 27036 standards therefore could cover:

• Strategic goals, objectives, business needs and compliance obligations in relation to information security, privacy and assurance when acquiring ICT-related or information products;

• Information risks such as:

  • Acquirer’s reliance on providers, complicating the acquirer’s business continuity arrangements (both resilience and recovery);

  • Physical and logical access to and protection of second and third party information assets;

  • Creating an ‘extended trust’ environment with shared responsibilities for information security, or conversely applying the ‘zero trust’ approach in this context;

  • Creating a shared responsibility for conformity with information security policies, standards, laws, regulations, contracts and other commitments/obligations;

  • Coordination between supplier and acquirer to adapt or respond to new/changed information security requirements;

  • ... and more.

• Information security controls such as:

  • Preliminary analysis, preparation of a sound business case, Invitation To Tender etc., taking into account the risks, controls, costs and benefits associated with maintaining adequate information security;

  • Creation of explicit shared strategic goals to align acquirer and provider on information security and other aspects (e.g. a jointly-owned ‘relationship strategy’);

  • Specification of important information security requirements (such as requiring that suppliers are ISO/IEC 27001 certified and/or use standards such as ISO27k) in contracts, Service Level Agreements etc.;

  • Security management procedures, including those that may be jointly developed and operated such as risk analysis, security design, identity and access management, incident management and business continuity;

  • Special controls to cater for unique risks (such as testing and fallback arrangements associated with the transition/implementation stage when an outsourcing supplier first provides services);

  • Clear ownership, accountability and responsibility for the protection of valuable information assets, including security logs, audit records and forensic evidence;

  • A ‘right of audit’ and other compliance/assurance controls, with penalties or liabilities in case of identified non-compliance, or bonuses for full compliance;

  • ... and more.

• The entire relationship lifecycle:

  • Initiation - scoping, business case/cost-benefit analysis, comparison of insource versus outsource options as well as variant or hybrid approaches such as co-sourcing;

  • Definition of requirements including the information security requirements, of course;

  • Procurement including evaluating, selecting and contracting with supplier/s;

  • Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period;

  • Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring etc.;

  • Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes etc.;

  • Termination and exit i.e. ending a business relationship that has run its course in a controlled manner, perhaps leading back to the start.

• Some - but not all - of this is covered by ISO/IEC 27036, potentially leaving gaps to be filled by other standards plus corporate strategies, policies and procedures.