Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27036-1:2021 — Supplier Relationships — Overview and Concepts
Foundational concepts for securing information and systems in supplier relationships
Modern organizations rely on an extensive ecosystem of suppliers,
vendors, and service providers. Each relationship introduces information
security risks that must be understood and managed. ISO/IEC 27036-1:2021
provides the foundational concepts and framework for managing information
security in supplier relationships, establishing a common language and
conceptual model that applies across the entire supply chain.
The 2021 edition updates the original 2013 release to address modern
supply chain challenges including cloud service providers, managed security
services, software supply chain attacks, and the growing regulatory focus
on third-party risk management.
supply chain challenges including cloud service providers, managed security
services, software supply chain attacks, and the growing regulatory focus
on third-party risk management.
Understanding Supplier Relationship Security
The standard defines a supplier relationship as any arrangement where
an organization (the acquirer) obtains products or services from a supplier
that could affect the security of the acquirer’s information or information
systems. This encompasses traditional outsourcing, cloud services, software
and hardware procurement, professional services, and any other form of
third-party engagement with security implications. The standard emphasizes
that security responsibility cannot be transferred — the acquirer retains
accountability for the protection of its information and systems, even when
suppliers are involved in processing or hosting.
A key concept introduced in the standard is the supplier
relationship lifecycle, which includes phases from strategic
planning and supplier selection through contract management, operational
delivery, and eventual termination or transition. Each phase presents
distinct security considerations and requires specific controls. The
standard stresses that security must be considered from the earliest
stages of supplier engagement, not bolted on after contracts are signed.
| Lifecycle Phase | Security Activities | Key Deliverables |
|---|---|---|
| Strategic Planning | Risk assessment, security requirements definition | Supplier security policy, risk register |
| Supplier Selection | Security evaluation, due diligence, qualification | Security assessment report, evaluation criteria |
| Contracting | Security clauses, SLA definition, right to audit | Security appendix to contract, SLA metrics |
| Operations | Monitoring, incident management, access control | Performance reports, incident logs, audit results |
| Termination | Data return/deletion, transition planning | Exit plan, data destruction certificate |
Organizations that implement structured supplier security programs
throughout the full lifecycle reduce third-party incident rates by an
average of 55% and achieve faster recovery when incidents do occur,
according to supply chain security maturity studies.
throughout the full lifecycle reduce third-party incident rates by an
average of 55% and achieve faster recovery when incidents do occur,
according to supply chain security maturity studies.
Key Concepts and the Supply Chain Risk Landscape
ISO/IEC 27036-1 identifies several critical concepts for supplier
relationship security. Supply chain risk encompasses
risks introduced through suppliers, their sub-suppliers, and the
interconnections between them. The standard highlights that modern supply
chains are complex, multi-tiered ecosystems where a vulnerability at any
level can propagate throughout the chain — as demonstrated by high-profile
software supply chain attacks. Dependency analysis is
essential to understand which supplier relationships are business-critical
and would cause significant harm if compromised or disrupted.
The standard also introduces the concept of security
requirements allocation — determining which security controls
should be implemented by the acquirer, which by the supplier, and which
should be jointly managed. This allocation must be documented and clearly
understood by both parties. The standard emphasizes the importance of
considering the supplier’s own supply chain (sub-suppliers, subcontractors)
since security vulnerabilities can be introduced through deeper tiers.
A common misperception is that using a large, well-known supplier eliminates
security risk. In reality, the scale and complexity of large suppliers can
introduce unique risks, and the “shared responsibility” model in cloud
services often leaves critical gaps when not properly understood and
documented.
security risk. In reality, the scale and complexity of large suppliers can
introduce unique risks, and the “shared responsibility” model in cloud
services often leaves critical gaps when not properly understood and
documented.
Framework for Managing Supplier Security
The standard provides a comprehensive framework that integrates supplier
relationship security into an organization’s overall ISMS (Information
Security Management System). The framework includes: governance
(policies, roles, responsibilities, and oversight for supplier security),
risk management (identification, assessment, and treatment
of supplier-related information security risks), operational
controls (day-to-day security management activities for supplier
relationships), and performance evaluation (monitoring,
measurement, audit, and review of supplier security performance).
The framework emphasizes proportionality — the depth and rigor of security
activities should be commensurate with the risk posed by each supplier
relationship. A low-risk supplier providing non-critical services may require
only baseline controls, while a high-risk supplier with access to sensitive
data or critical systems requires comprehensive assessment, continuous
monitoring, and robust contractual protections. The standard recommends
tiered supplier classification as a foundational practice.
Frequently Asked Questions
Q: How does ISO/IEC 27036-1 relate to ISO/IEC 27001?
A: ISO/IEC 27036-1 provides detailed implementation guidance for the
supplier relationship controls in ISO/IEC 27001 (specifically A.5.19-A.5.23
in the 2022 edition). Organizations using 27001 as their ISMS framework
should reference 27036-1 for best-practice supplier security management.
A: ISO/IEC 27036-1 provides detailed implementation guidance for the
supplier relationship controls in ISO/IEC 27001 (specifically A.5.19-A.5.23
in the 2022 edition). Organizations using 27001 as their ISMS framework
should reference 27036-1 for best-practice supplier security management.
Q: Does this standard apply to all suppliers equally?
A: No. The standard advocates a risk-based, tiered approach. Suppliers
handling sensitive data, providing critical services, or with access to
production systems require more rigorous security management than suppliers
of low-risk, commoditized products or services.
A: No. The standard advocates a risk-based, tiered approach. Suppliers
handling sensitive data, providing critical services, or with access to
production systems require more rigorous security management than suppliers
of low-risk, commoditized products or services.
Q: How should sub-supplier risks be addressed?
A: The standard requires that acquirers consider the supplier’s own supply
chain. This can be addressed through contractual requirements (requiring
suppliers to flow down security requirements to sub-suppliers), supplier
attestations regarding their supply chain management, and audit rights
that extend to critical sub-suppliers.
A: The standard requires that acquirers consider the supplier’s own supply
chain. This can be addressed through contractual requirements (requiring
suppliers to flow down security requirements to sub-suppliers), supplier
attestations regarding their supply chain management, and audit rights
that extend to critical sub-suppliers.
Q: What are the key changes in the 2021 edition?
A: The 2021 edition adds guidance on cloud service provider relationships,
software supply chain security (including CI/CD pipeline risks), managed
security service provider considerations, and expanded guidance on supply
chain resilience and business continuity integration.
A: The 2021 edition adds guidance on cloud service provider relationships,
software supply chain security (including CI/CD pipeline risks), managed
security service provider considerations, and expanded guidance on supply
chain resilience and business continuity integration.
