ISO IEC 27036-1-2021.docx

INTERNATIONA1.STANDARDISO/IEC27036-1editionSecond2021-09CybersecuritySupp1.ierre1.ationships一iewandconceptsCybersecuriteRe1.ationsavecIefurnisseurPartie1:Aperugra1.etconceptsReferencenumberISO/IEC27036-1.:2021(E)CISO/IEC2021COPYRIGHTPROTECTEDDOCUMENT©IS0/1EC2021M11c<hefivdi1.itedotherwise*ri快ChBxXniEX1.msitRiDhmw;Itmiihr<1.ij1.trfvx>CoPwnR.pnttjuiionpostingontheinternetoranInunnu1.withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOatt1.½addressbe1.oworISO*smemberhodyinthecountryofth<?rrcucstcr.三cB1.andonnct8r,GenevaPhone:t41227490111辆jtc:用洲部砾o.orgPub1.ishedinSwitzer1.andContentsForewordivIntroduction.2 Scope3 Normativereferences4 Termsanddefinitions5 Sy1.nbOiSandabbreviatedterms.Prob1.emdefinitionandkeyconceptsMotivesforestab1.ishingsupp1.ierre1.ationshipsTyPeSofsupp1.ierre1.ationships3444S.2.1Supp1.ierre1.ationshipsforproducts5.2.3 ICTsupp1.ychain5.2.4 C1.oudcomputing.§4用为nit能那躺曲醺ity融版ierii三8hip国赤那蝌梅threats6551C*SUPP1.yChainOOnSIde1.9Overa1.1.1S0/IEC27036structureandoverview106.1 Purposeandstructure106.2 OvemewofISO/IEC27036-1:Overviewandconcepts106.3 OverviewofISO/IEC27036-2:Requirements-106.4 Guide1.inesforinformationandcommunicationtechno1.ogy(ICT)supp1.ychainsecurity116.5 OverviewofISO/IEC27036-4：Guide1.inesforsecurityofc1.oudservices11Bib1.iography一MaMmuaa_MMMMMBMM“一12ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.GwnibcrsOfiJSOrm1.H6<5pactHd(S那而UAWHoPWWfcf1.otMandamdgion.StNnderddtghtechniMbcommitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interestOtherinternationa1.W仞恋胡用rg胭Fftf*VH电热RMift由温搐版就Sheda掂瓜/r?J1.w1.ee,1SOIECTC1.Internationa1.Standardsaredraftedinaccordancewiththeru1.esgivenintheISO/IECDirectives,Part2.TmitteeistoprepareInternationa1.Standards.DraftInternationa1.Smitteearecircu1.atedtonationa1.bodiesforvoting.PfjMtionv,anInternationa1.Standardrequiresapprova1.byat1.east75%ofthenationa1.bodiesAttentionisdrawntothepossibi1.itythatsomeofthee1.ementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECsha1.1.notbehe1.dresponsib1.eforidentifyinganyora1.1.suchpatentrights.ISO/IEC27036-1waspreparedbyJointTechnica1.CommitteeISO/IECJTC1,Informationtechno1.ogy.SubcommitteeSC27.Informationsecurity,cybersecurity,andphvac),protection.3(SKeMUt!i!)iW1.ft1.ft.andrep1.acesthefirstedition(ISO/IEC27036-1:2014),ofwhichthisThemainchangescomparedtothepreriouseditionareasfo1.1.ows: changeoftit1.e; revisionofC1.ause2; a1.ignmentwithdraftingru1.es; ISO/IEC27036(a1.1.parts)addedinBib1.iography.A1.istofa1.1.partsintheISO/IEC27036seriescanbefoundontheISOwebsiteIntroductionre1.ationshipswithsupp1.iersofdifferentkindsthatde1.iverproductsorservices.informationoftheinformationwhenprocessing.controbkquirersmonitorProdUaionPhySiCa1.deIiVeryIogiCa1.PrOCeSSeStotheThUs,acquirerstreatedsupp1.ierscanacquirerinformationorganizationsthroughappropriatemanagementeffective1.y1.nternationa1.informationsecurityinherentmanagingre1.ationships.re1.ationshipsinordertosupp1.ierre1.ationshipsthataredescribedasgenera1.recommendationsin1SOIEC27002.consu1.tingsoftware,p1.atform,infrastructureoutsourcedapp1.ications(ASPs),orc1.oudcomputingservicesexpectedre1.ationshipadequate1.yrequirementstheandinformationsecuritydocument.Furthermore,processesobjectives.supportintermsofinformationsecurityaswe1.1.astheaccomp1.ishmentof/IEC2021-A1.1.nghtsreservedMost(ifnota1.1.)organizationsaroundthewor1.d,whatevertheirsizeordomainsofactivities,haveSuchsupp1.ierscanhaveeitheradirectorindirectaccesstotheinformationandinformationsystemsoftheacquirer,orwi1.1.providee1.ements(software,hardware,processes,orhumanresources)thatwi1.1.beinvo1.vedinsupp1.iertheyorcana1.sohaveandandaccessofsupp1.ier.beassessedandandbybothcauseandsupp1.iersecurityriskseachother.Theserisksneedtoofinformationsecurityandtheimp1.ementationofre1.evantcontro1.s.Inmanyinstances,organizationshaveadoptedISO/IEC27001andISO1EC27002forthemanagementoftheirinformationsecurity.Suchcontro1.theStandardsshou1.da1.soHerisksadoptedthosesupp1.ierThisdocumentprovidesfurtherdetai1.edimp1.ementationguidanceonthecontro1.sdea1.ingWithvSupp1.ierre1.ationshipsinthecontextofthisdocumentinc1.udeanysupp1.ierre1.ationshipthatcanhaveinformationsecurityimp1.ications,e.g.informationtechno1.ogy,hea1.thcareServicesJanitoriaIservices.(suchasservices,R&DOrpartnerships,asaservice).Boththesupp1.ierandacquirershou1.dtakeresponsibi1.ityforachievingtheobjectivesinthesupp1.ier-isacquirertheyandimp1.ementtheaddressingguide1.inesofthisrisksthatCanoccur.It