Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27036-3:2013 — Supplier Relationships — Part 3: Guidelines for Information Security
A comprehensive guide to information security in supplier relationships
1. Overview and Scope of ISO/IEC 27036-3:2013
ISO/IEC 27036-3:2013 is part of the ISO/IEC 27036 series that addresses information security in supplier relationships. Specifically, this part provides guidelines for the acquisition of products and services from external suppliers, focusing on the information security risks that arise throughout the supplier relationship lifecycle. The standard applies to all types of organizations that need to protect their information assets when engaging with suppliers, regardless of industry sector or organization size.
A key principle of ISO/IEC 27036-3 is that information security requirements must be integrated into the acquisition process from the very beginning, not treated as an afterthought during contract negotiation or service delivery.
The standard covers the entire supplier relationship lifecycle: planning and preparation, supplier selection, contract agreement, operational delivery, and termination or transition. Each phase introduces specific information security considerations that organizations must address to maintain confidentiality, integrity, and availability of their information assets.
| Lifecycle Phase | Key Security Activities | Deliverables |
|---|---|---|
| Planning & Preparation | Risk assessment, security requirement definition | Information security requirements specification |
| Supplier Selection | Security capability evaluation, due diligence | Supplier security assessment report |
| Contract Agreement | Security clauses definition, SLA negotiation | Security addendum to contract |
| Operational Delivery | Security monitoring, incident management | Security performance reports, audit findings |
| Termination & Transition | Data return/deletion, access revocation | Transition completion certificate |
2. Supplier Security Classification and Risk-Based Approach
The standard advocates a risk-based approach where suppliers are classified according to the sensitivity of information they access and the criticality of services they provide. This classification directly determines the depth and rigor of security controls required. For example, a supplier handling personal data or intellectual property demands far stricter controls than one providing low-risk commoditized services.
Organizations often make the mistake of applying uniform security requirements to all suppliers. ISO/IEC 27036-3 explicitly recommends differentiated security controls based on the information security risk posed by each supplier relationship.
Supplier Classification Levels
The standard implies three broad classification levels. Level 1 suppliers handle public or low-sensitivity information and require baseline security controls. Level 2 suppliers access confidential business information and need enhanced controls including regular audits. Level 3 suppliers process highly sensitive data such as personal information under GDPR or trade secrets, demanding comprehensive controls including right-to-audit clauses and enforceable SLA penalties. Engineering teams should implement automated supplier risk scoring by mapping the data classification of assets shared with each supplier to these risk tiers, enabling scalable oversight across potentially hundreds of supplier relationships.
3. Engineering Design Insights and Implementation Guidance
For engineering practitioners, the most valuable contribution of ISO/IEC 27036-3 is its structured approach to embedding security into procurement and supplier management workflows. Instead of relying on manual assessments, leading organizations integrate the standard’s requirements into their Supplier Relationship Management (SRM) platforms. Key implementation patterns include automated security questionnaires that adapt based on supplier classification, continuous monitoring feeds from supplier security operations centers via standardized APIs, and contract management systems that enforce mandatory security exhibits before procurement orders can be released.
A well-implemented supplier security program based on ISO/IEC 27036-3 can reduce third-party security incidents by up to 60% according to industry benchmarks, while simultaneously accelerating supplier onboarding through standardized, risk-calibrated assessment workflows.
Another critical engineering insight is the importance of defining measurable security outcomes rather than prescriptive controls in supplier contracts. For instance, instead of requiring a specific firewall brand, specify that the supplier must demonstrate effective network segmentation with annual penetration test results meeting defined thresholds. This outcome-based approach accommodates supplier technology diversity while maintaining security assurance levels.
FAQs
Q: Does ISO/IEC 27036-3 apply to all suppliers regardless of size?
A: The standard applies to all supplier relationships, but the depth of assessment and controls should be proportional to the risk. A risk-based approach allows organizations to scale requirements appropriately.
A: The standard applies to all supplier relationships, but the depth of assessment and controls should be proportional to the risk. A risk-based approach allows organizations to scale requirements appropriately.
Q: How does ISO/IEC 27036-3 relate to ISO/IEC 27001?
A: ISO/IEC 27036-3 provides specific guidance for implementing Supplier Relationship (A.15) controls within an ISMS based on ISO/IEC 27001. It operationalizes the high-level requirements of the management standard.
A: ISO/IEC 27036-3 provides specific guidance for implementing Supplier Relationship (A.15) controls within an ISMS based on ISO/IEC 27001. It operationalizes the high-level requirements of the management standard.
Q: What is the recommended frequency for supplier security reviews?
A: The standard recommends at least annual reviews for high-risk suppliers, with continuous monitoring where technically feasible. Lower-risk suppliers may be reviewed every 2-3 years.
A: The standard recommends at least annual reviews for high-risk suppliers, with continuous monitoring where technically feasible. Lower-risk suppliers may be reviewed every 2-3 years.
