ISO/IEC 27036-3
ISO/IEC 27036-3:2023 — Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security
(second edition)
Abstract
ISO/IEC 27036 part 3 “provides guidance for product and service acquirers, as well as suppliers of hardware, software and services, regarding:
a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains;
b) responding to risks stemming from this physically dispersed and multi-layered hardware, software, and services supply chain that can have an information security impact on the organizations using these products and services;
c) integrating information security processes and practices into the system and software life cycle processes, as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, while supporting information security controls, as described in ISO/IEC 27002.
[ISO/IEC 27036-3] does not include business continuity management/resiliency issues involved with the hardware, software, and services supply chain. ISO/IEC 27031 addresses information and communication technology readiness for business continuity.”
[Source: ISO/IEC 27036-3:2023]
Introduction
Part 3 guides both suppliers and acquirers of IT products (goods and services) on information risk management relating to complex supply chains, including risks such as malware and counterfeit products plus ‘organisational risks’, and the integration of information risk management into IT development lifecycles.
Scope
Part 3 concerns a wide range of security controls for IT supply chains, such as:
Assurance;
Avoiding the gray-market;
Chain of custody (provenance and Software Bill of Materials);
Code assessment and verification;
Compliance management;
Configuration and change management;
Defined security expectations (specifications);
HR management;
IT implementation and transition;
IT integration;
... and more ....
Most of these controls are covered in general terms by ISO/IEC 27002: this standard provides additional guidance for their application in the context of supply and acquisition of IT products e.g. maintaining a detailed SBoM (defined as an “inventory of software components, sub-components and dependencies with associated information”) to keep up with vulnerabilities and patches even in obscure library functions etc. buried deep within end products.
The bulk of the standard provides information security guidance for ICT suppliers and acquirers, as a set of processes for each stage of the typical ICT system lifecycle.
Annexes reference applicable clauses from ISO/IEC 27002:2022 and describe the essential elements of an SBoM.
Structure
Main sections:
5: Key concepts
6: Hardware, software, and services supply chain security in life cycle processes
Annex A: Correspondence between the controls in ISO/IEC 27002 and this document
Annex B: Essential elements of a software bill of materials
Status
The first edition of part 3 was published in 2013.
The second edition was published in 2023.
Commentary
The standard is myopically focused on IT e.g. it concerns IT services, specifically, rather than professional services in general, even though they often have significant information content and substantial information risks. Organisations should therefore consider their supply chain information risks broadly (e.g. theft of intellectual property, misprepresentation, misappropriation, fraud ...) as well as commercial, financial and other kinds of risks (including business continuity aspects such as supply chain disruptions).
Aside from supplier-acquirer relationships, information risks associated with business partners may also be of concern, where multiple organisations combine their efforts in the production process - for example, the use of contractors on an IT production line. There may be yet more information risks in the logistics parts of the supply chain, plus related services such as installation, configuration, support and maintenance of IT equipment, commercial data centre facilities, communications services and more.