ISO/IEC 27036-2
ISO/IEC 27036-2:2022 — Cybersecurity — Supplier relationships — Part 2: Requirements
(second edition)
Abstract
ISO/IEC 27036 part 2 “specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, build-operate-transfer and cloud computing services ... To meet the requirements, it is expected that an organization has internally implemented a number of foundational processes or is actively planning to do so [such as] business management, risk management, operational and human resources management, and information security.”
[Source: ISO/IEC 27036-2:2022]
Introduction
The controls recommended in part 2 cover various aspects of governance and business management (e.g. operations, HR management, IT management, relationship management, metrics) as well as information risk management (e.g. information risk analysis and treatment, security controls specification, security architecture/design, strategy).
Scope
Part 2 specifies fundamental information security requirements pertaining to business relationships between suppliers and acquirers of various products (goods and services). It helps them reach a common understanding of the associated information risks, and treat them accordingly to their mutual satisfaction.
The introduction explicitly states that part 2 is not for certification despite having “Requirements” in the title and “shall” in the content [these are normally reserved words in ISO-land].
Structure
Main sections:
6: Information security in supplier relationship management
7: Information security in a supplier relationship instance
Annex A: Correspondence between ISO/IEC/IEEE 15288 and this document
Annex B: Correspondence between ISO/IEC 27002 controls and this document
Annex C: Objectives from Clauses 6 and 7
Status
The first edition of part 2 was published in 2014.
Following changes in ISO/IEC 15288, the second edition was published in 2022.
Commentary
Although this is not intended to be a certifiable standard with formally-specified requirements that are mandatory for certification, wording along the lines of “The following minimum activities shall be executed by the acquirer to meet the objective defined at [a specific clause]” leaves little latitude for organisations to interpret, adapt and apply the standard according to their particular business situations and needs, despite an explanatory note:
”The user of [ISO/IEC 27036-2] needs to correctly interpret each of the forms of the expression of provisions (e.g. “shall”, “shall not”, should” and “should not”) as being either requirements to be satisfied or recommendations where there is a certain freedom of choice.”
It comes down to the business and legal arrangements in place between supplier and acquirer as to how much ‘freedom of choice’ there is in interpreting and applying this standard. In the absence of explicit, perfectly worded, unambiguous and binding contractual clauses, lawyers smile wryly and rub their hands together ...