National foreword

This British Standard is the UK implementation of ISO/IEC 27036‑3:2023. It supersedes BS ISO/IEC 27036‑3:2013, which is withdrawn.

The UK participation in its preparation was entrusted to Technical Committee IST/33/4, Security Controls and Services.

A list of organizations represented on this committee can be obtained on request to its committee manager.

Contractual and legal considerations

This publication has been prepared in good faith, however no representation, warranty, assurance or undertaking (express or implied) is or will be made, and no responsibility or liability is or will be accepted by BSI in relation to the adequacy, accuracy, completeness or reasonableness of this publication. All and any such responsibility and liability is expressly disclaimed to the full extent permitted by the law.

This publication is provided as is, and is to be used at the recipient’s own risk.

The recipient is advised to consider seeking professional guidance with respect to its use of this publication.

This publication is not intended to constitute a contract. Users are responsible for its correct application.

Compliance with a British Standard cannot confer immunity from legal obligations.

This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 June 2023.

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).

ISO and IEC draw attention to the possibility that the implementation of this document may involve the use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not received notice of (a) patent(s) which may be required to implement this document. However, implementers are cautioned that this may not represent the latest information, which may be obtained from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Information security, cybersecurity, and privacy protection.

This second edition cancels and replaces the first edition (ISO/IEC 27036‑3:2013), which has been technically revised.

The main changes are as follows:

the structure and content have been aligned with the most recent version of ISO/IEC/IEEE 15288;
former Annex A has been removed;
Annex B has been added.

A list of all parts in the ISO/IEC 27036 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-committees.

Introduction

Hardware and software products and information technology services are developed, integrated, and delivered globally through deep and physically dispersed supply chains. The supply chain can be a point-to-point or a many-to-many structure and can also be referred to as a supply network. Hardware and software are assembled from many components provided by many suppliers. Information technology services throughout the entire supplier relationship are also delivered through multiple tiers of outsourcing and supply chaining. Acquirers do not have visibility into the practices of hardware, software, and service providers beyond first or possibly second link of the supply chain. With the substantial increase in the number of organizations and people who “touch” a hardware, software, or service, the visibility into the practices by which these products and services are put together has decreased dramatically. This lack of visibility, transparency, and traceability into the hardware, software and service supply chain poses risks to acquiring organizations.

This document provides guidance to hardware, software and service acquirers and suppliers to reduce or manage information security risk. This document identifies the business case for hardware, software, and service supply chain security, specific risks and relationship types, as well as how to develop an organizational capability to manage information security aspects and incorporate a life cycle approach to manage risks supported by specific controls and practices. Its application is expected to result in:

increased hardware, software, and services supply chain visibility and traceability to enhance information security capability;
increased understanding by the acquirers of where their products or services are coming from, and of the practices used to develop, integrate, or operate these products or services, to enhance the implementation of information security requirements;
in case of an information security compromise, the availability of information about what may have been compromised and who the involved actors may be.

This document is intended to be used by all types of organizations that acquire or supply hardware, software, and services. The guidance is primarily focused on the initial link of the first acquirer and supplier, but the principal steps should be applied throughout the chain, starting when the first supplier becomes an acquirer. This change of roles and applying the same steps for each new acquirer-supplier link in the chain is the essential intention of this document. By following this document, information security implications can be communicated among organizations in the chain. This helps identify information security risks and their causes, and may enhance the transparency throughout the chain. Information security concerns related to supplier relationships cover a broad range of scenarios. Organizations desiring to improve trust within their hardware, software, and services supply chain should define their trust boundaries. They should evaluate the risk associated with their supply chain activities, and then define and implement appropriate risk identification and mitigation techniques to reduce the vulnerabilities being introduced through their hardware, software and services supply chain.

The framework and controls outlined in ISO/IEC 27001 and ISO/IEC 27002 provide a useful starting point for identifying appropriate requirements for acquirers and suppliers. The ISO/IEC 27036 series provides further detail on how to establish and monitor supplier relationships. This document has been structured to be harmonized with ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207.

1 Scope

This document provides guidance for product and service acquirers, as well as suppliers of hardware, software and services, regarding:

gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains;
responding to risks stemming from this physically dispersed and multi-layered hardware, software, and services supply chain that can have an information security impact on the organizations using these products and services;
integrating information security processes and practices into the system and software life cycle processes, as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, while supporting information security controls, as described in ISO/IEC 27002.

This document does not include business continuity management/resiliency issues involved with the hardware, software, and services supply chain. ISO/IEC 27031 addresses information and communication technology readiness for business continuity.

2 Normative references

3 Terms and definitions

4 Structure

5 Key concepts

5.1 Business case for hardware, software, and services supply chain security

5.2 Hardware, software, and services supply chain risks and associated threats

5.3 Acquirer and supplier relationship types

5.4 Organizational capability

5.5 System life cycle processes

5.6 ISMS processes in relation to system life cycle processes

5.7 ISMS controls in relation to hardware, software, and services supply chain security

5.8 Essential hardware, software, and services supply chain security practices

6 Hardware, software, and services supply chain security in life cycle processes

6.1 Agreement processes

6.2 Organizational project-enabling processes

6.3 Technical management processes

6.4 Technical processes

Bibliography

BS ISO/IEC 27036-3:2023

Cybersecurity. Supplier relationships - Guidelines for information and communication technology supply chain security

Current

Published:

30 Jun 2023