Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27036-2:2014 — Supplier Relationships — Requirements
Security requirements for defining, implementing, and managing supplier relationships
While ISO/IEC 27036-1 provides concepts and an overview framework,
ISO/IEC 27036-2:2014 defines the specific requirements for establishing,
implementing, and maintaining information security in supplier relationships.
This requirements standard is designed for use by both acquirers (organizations
procuring products or services) and suppliers (organizations providing products
or services), providing a common set of expectations that can be incorporated
into contracts and service agreements.
Although published in 2014, the requirements in 27036-2 remain highly relevant
as they are technology-neutral and focused on fundamental supplier security
governance principles that transcend specific technical environments.
as they are technology-neutral and focused on fundamental supplier security
governance principles that transcend specific technical environments.
Defining Security Requirements for Supplier Relationships
The standard requires that organizations define information security
requirements for supplier relationships based on a systematic risk
assessment. These requirements must address: the type of
relationship (product supply, service provision, outsourcing),
the sensitivity and criticality of the information and
systems involved, the applicable legal and regulatory obligations,
and the business impact of potential security failures.
Requirements must be documented, reviewed, and agreed upon by both parties
before the relationship commences.
Key requirements categories defined in the standard include:
access control (who can access what, under what conditions),
personnel security (screening, training, confidentiality
agreements), physical and environmental security (facilities
protection for supplier operations), incident management
(detection, reporting, and response obligations), business continuity
and disaster recovery (resilience requirements and testing),
compliance and audit (right to audit, reporting obligations),
and information handling (classification, storage,
transmission, and disposal).
| Requirement Domain | Specific Requirements | Verification Method |
|---|---|---|
| Access Control | Need-to-base access, authentication, authorization, review | Access reviews, audit logs |
| Personnel Security | Background checks, security training, NDAs | Training records, signed agreements |
| Incident Management | Detection capability, reporting timelines, cooperation | Incident reports, post-incident reviews |
| Business Continuity | BCP/DRP documentation, testing, recovery objectives | Test results, BCP reviews |
| Compliance & Audit | Right to audit, evidence of compliance, remediation | Audit reports, remediation plans |
| Information Handling | Classification, secure storage, transmission, disposal | Data flow mapping, disposal certificates |
A common gap in supplier security requirements is the lack of specificity.
Generic requirements like “supplier shall maintain appropriate security”
are insufficient for contractual enforcement. The standard emphasizes
that requirements must be specific, measurable, and verifiable.
Generic requirements like “supplier shall maintain appropriate security”
are insufficient for contractual enforcement. The standard emphasizes
that requirements must be specific, measurable, and verifiable.
Requirements Across the Acquisition Lifecycle
ISO/IEC 27036-2 maps requirements to the acquisition lifecycle phases.
During planning and risk assessment, the acquirer must
identify and evaluate information security risks associated with the
proposed supplier relationship. During supplier selection and
evaluation, security capability must be a formal evaluation
criterion. During contracting, security requirements must
be incorporated into legally binding agreements with provisions for
monitoring, audit, and remedies for non-compliance.
During operations and monitoring, the acquirer must
establish processes for ongoing oversight of supplier security performance,
including regular security assessments, monitoring of security events,
and management of changes (to the supplier’s environment, personnel,
sub-suppliers, or processes). During change and transition,
requirements address both planned changes (upgrades, migrations) and
unplanned changes (incidents, supplier financial distress). During
termination, requirements cover secure return or
destruction of information, transition of services, and post-termination
obligations.
A well-structured requirements framework benefits both parties: acquirers
gain predictable security outcomes, while suppliers benefit from clear,
consistent expectations that can be operationalized efficiently across
multiple customer relationships.
gain predictable security outcomes, while suppliers benefit from clear,
consistent expectations that can be operationalized efficiently across
multiple customer relationships.
Monitoring and Continuous Improvement
The standard goes beyond initial requirements definition to address
ongoing monitoring and continuous improvement. Acquirers must establish
processes to: monitor supplier compliance with security
requirements (through reports, assessments, and audits), track and
respond to security incidents involving the supplier, review
and update requirements as risks and threats evolve, and
conduct periodic reviews of the supplier relationship’s
continuing business case and risk profile.
Importantly, the standard requires that monitoring activities be
proportionate to risk. High-risk relationships warrant more frequent and
more intrusive monitoring (including on-site audits, penetration testing,
and continuous security monitoring), while low-risk relationships may
be managed through periodic self-assessments and contractual reporting.
The standard also recommends that organizations maintain a supplier
security scorecard program to provide an aggregated view of supplier
risk posture and track improvement over time.
Frequently Asked Questions
Q: Is ISO/IEC 27036-2 certifiable?
A: Unlike ISO/IEC 27001, ISO/IEC 27036-2 is a requirements standard for
supplier relationship security management, but it is not currently a
standalone certification scheme. Its requirements are typically assessed
as part of an overall ISO/IEC 27001 audit or through supplier-specific
security assessments.
A: Unlike ISO/IEC 27001, ISO/IEC 27036-2 is a requirements standard for
supplier relationship security management, but it is not currently a
standalone certification scheme. Its requirements are typically assessed
as part of an overall ISO/IEC 27001 audit or through supplier-specific
security assessments.
Q: How does this standard address cloud service providers?
A: While cloud-specific guidance is covered more extensively in other
standards (like ISO/IEC 27017 and 27018), ISO/IEC 27036-2’s requirements
framework applies to all supplier types including cloud services. Key
requirements around access control, data handling, incident management,
and right to audit are particularly relevant for cloud relationships.
A: While cloud-specific guidance is covered more extensively in other
standards (like ISO/IEC 27017 and 27018), ISO/IEC 27036-2’s requirements
framework applies to all supplier types including cloud services. Key
requirements around access control, data handling, incident management,
and right to audit are particularly relevant for cloud relationships.
Q: What is the right to audit and why is it important?
A: The right to audit is a contractual provision that allows the acquirer
(or a nominated third party) to verify the supplier’s compliance with
security requirements through assessments, audits, or inspections. It is
important because it provides independent verification beyond the supplier’s
self-reported compliance. The standard recommends that the right to audit
be included in all high-risk and medium-risk supplier contracts.
A: The right to audit is a contractual provision that allows the acquirer
(or a nominated third party) to verify the supplier’s compliance with
security requirements through assessments, audits, or inspections. It is
important because it provides independent verification beyond the supplier’s
self-reported compliance. The standard recommends that the right to audit
be included in all high-risk and medium-risk supplier contracts.
Q: How should requirement changes be managed during a contract?
A: The standard recommends a formal change management process that addresses
security requirement updates triggered by: changes in threat landscape,
regulatory changes, incidents or lessons learned, changes in supplier
subcontractors or infrastructure, and changes in the acquirer’s risk
appetite or business context. Changes should be documented, risk-assessed,
and agreed upon through contract amendment procedures.
A: The standard recommends a formal change management process that addresses
security requirement updates triggered by: changes in threat landscape,
regulatory changes, incidents or lessons learned, changes in supplier
subcontractors or infrastructure, and changes in the acquirer’s risk
appetite or business context. Changes should be documented, risk-assessed,
and agreed upon through contract amendment procedures.
