ISO IEC 27036-1-2021.docx

INTERNATIONA1.STANDARDISO/IEC27036-1editionSecond2021-09CybersecuritySupp1.ierre1.ationships一iewandconceptsCybersecuriteRe1.ationsavecIefurnisseurPartie1:Aperugra1.etconceptsReferencenumberISO/IEC27036-1.:2021(E)CISO/IEC2021COPYRIGHTPROTECTEDDOCUMENT©IS0/1EC2021M11c<hefivdi1.itedotherwise*ri快ChBxXniEX1.msitRiDhmw;Itmiihr<1.ij1.trfvx>CoPwnR.pnttjuiionpostingontheinternetoranInunnu1.withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOatt1.½addressbe1.oworISO*smemberhodyinthecountryofth<?rrcucstcr.三cB1.andonnct8r,GenevaPhone:t41227490111辆jtc:用洲部砾o.orgPub1.ishedinSwitzer1.andContentsForewordivIntroduction.2 Scope3 Normativereferences4 Termsanddefinitions5 Sy1.nbOiSandabbreviatedterms.Prob1.emdefinitionandkeyconceptsMotivesforestab1.ishingsupp1.ierre1.ationshipsTyPeSofsupp1.ierre1.ationships3444S.2.1Supp1.ierre1.ationshipsforproducts5.2.3 ICTsupp1.ychain5.2.4 C1.oudcomputing.§4用为nit能那躺曲醺ity融版ierii三8hip国赤那蝌梅threats6551C*SUPP1.yChainOOnSIde1.9Overa1.1.1S0/IEC27036structureandoverview106.1 Purposeandstructure106.2 OvemewofISO/IEC27036-1:Overviewandconcepts106.3 OverviewofISO/IEC27036-2:Requirements-106.4 Guide1.inesforinformationandcommunicationtechno1.ogy(ICT)supp1.ychainsecurity116.5 OverviewofISO/IEC27036-4：Guide1.inesforsecurityofc1.oudservices11Bib1.iography一MaMmuaa_MMMMMBMM“一12ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.GwnibcrsOfiJSOrm1.H6<5pactHd(S那而UAWHoPWWfcf1.otMandamdgion.StNnderddtghtechniMbcommitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interestOtherinternationa1.W仞恋胡用rg胭Fftf*VH电热RMift由温搐版就Sheda掂瓜/r?J1.w1.ee,1SOIECTC1.Internationa1.Standardsaredraftedinaccordancewiththeru1.esgivenintheISO/IECDirectives,Part2.TmitteeistoprepareInternationa1.Standards.DraftInternationa1.Smitteearecircu1.atedtonationa1.bodiesforvoting.PfjMtionv,anInternationa1.Standardrequiresapprova1.byat1.east75%ofthenationa1.bodiesAttentionisdrawntothepossibi1.itythatsomeofthee1.ementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECsha1.1.notbehe1.dresponsib1.eforidentifyinganyora1.1.suchpatentrights.ISO/IEC27036-1waspreparedbyJointTechnica1.CommitteeISO/IECJTC1,Informationtechno1.ogy.SubcommitteeSC27.Informationsecurity,cybersecurity,andphvac),protection.3(SKeMUt!i!)iW1.ft1.ft.andrep1.acesthefirstedition(ISO/IEC27036-1:2014),ofwhichthisThemainchangescomparedtothepreriouseditionareasfo1.1.ows: changeoftit1.e; revisionofC1.ause2; a1.ignmentwithdraftingru1.es; ISO/IEC27036(a1.1.parts)addedinBib1.iography.A1.istofa1.1.partsintheISO/IEC27036seriescanbefoundontheISOwebsiteIntroductionre1.ationshipswithsupp1.iersofdifferentkindsthatde1.iverproductsorservices.informationoftheinformationwhenprocessing.controbkquirersmonitorProdUaionPhySiCa1.deIiVeryIogiCa1.PrOCeSSeStotheThUs,acquirerstreatedsupp1.ierscanacquirerinformationorganizationsthroughappropriatemanagementeffective1.y1.nternationa1.informationsecurityinherentmanagingre1.ationships.re1.ationshipsinordertosupp1.ierre1.ationshipsthataredescribedasgenera1.recommendationsin1SOIEC27002.consu1.tingsoftware,p1.atform,infrastructureoutsourcedapp1.ications(ASPs),orc1.oudcomputingservicesexpectedre1.ationshipadequate1.yrequirementstheandinformationsecuritydocument.Furthermore,processesobjectives.supportintermsofinformationsecurityaswe1.1.astheaccomp1.ishmentof/IEC2021-A1.1.nghtsreservedMost(ifnota1.1.)organizationsaroundthewor1.d,whatevertheirsizeordomainsofactivities,haveSuchsupp1.ierscanhaveeitheradirectorindirectaccesstotheinformationandinformationsystemsoftheacquirer,orwi1.1.providee1.ements(software,hardware,processes,orhumanresources)thatwi1.1.beinvo1.vedinsupp1.iertheyorcana1.sohaveandandaccessofsupp1.ier.beassessedandandbybothcauseandsupp1.iersecurityriskseachother.Theserisksneedtoofinformationsecurityandtheimp1.ementationofre1.evantcontro1.s.Inmanyinstances,organizationshaveadoptedISO/IEC27001andISO1EC27002forthemanagementoftheirinformationsecurity.Suchcontro1.theStandardsshou1.da1.soHerisksadoptedthosesupp1.ierThisdocumentprovidesfurtherdetai1.edimp1.ementationguidanceonthecontro1.sdea1.ingWithvSupp1.ierre1.ationshipsinthecontextofthisdocumentinc1.udeanysupp1.ierre1.ationshipthatcanhaveinformationsecurityimp1.ications,e.g.informationtechno1.ogy,hea1.thcareServicesJanitoriaIservices.(suchasservices,R&DOrpartnerships,asaservice).Boththesupp1.ierandacquirershou1.dtakeresponsibi1.ityforachievingtheobjectivesinthesupp1.ier-isacquirertheyandimp1.ementtheaddressingguide1.inesofthisrisksthatCanoccur.Itfundamenta1.processesshou1.dbeimp1.ementedtosupportthesupp1.ier-acquirerre1.ationship(e.g.governance,businessmanagement,andoperationa1.andhumanresourcesmanagement).Thesebusinesswi1.1.provideCybersecurity-Supp1.ierre1.ationships一Overviewandconcepts1 Scopeintende<ioftosupp1.ierorganizationsinintroducesinformationandinformationinsystemsin¼rithinother2 Normativereferencesconstitutesrequircments1.atestcditiondocumcnt.rcfercncedrefercnccs,(inc1.udingamendments)app1.ies.app1.ies.systemsOverviewandvocabu1.ary3 Termsanddefinitionsnatthefo1.1.owingISOandIECmaintaintermino1.ogica1.databasesforUSeinStandardiZatiOaddresses:3.1 IECE1.cc1.ropcdia:avai1.ab1.ea1.h1.1.x/WwW.ek¼MoPedimhacquirerNote1toentr>r:Procurementmayormaynotinvo1.vetheexchangeofmonetaryfunds.3.2acquisition(SOURCE:ISO/IEC/IEEE15288:2015,4.1.2,modifiedTheWord“system'wasremoved.)agreementSOURCE:ISO/IEC/IEEE15288:2015,4.1.41©ISOIEC2021-A1.1.rht5reservedPart1:ThisdocumentisanintroductorypartofISO/IEC27036.Itprovidesanoverviewoftheguidancecontextassistre1.ationships.Ita1.sosecuringtheirconceptsthataredescribeddetai1.thepartsofISO/IEC27036.Thisdocumentaddressesperspectivesofbothacquirersandsupp1.iers.Thefo1.1.owingdocumentsarereferredtointhetextinsuchawaythatsomeora1.1.oftheircontentundatedreferences,theofthisoftheFordateddocumenton1.ytheanyeditioncitedForISO/IEC27000,Informationtechno1.ogy-SecuritytechniquesInformationsecuritymanagementForthepurposesofthisdocument,thetermsanddefinitionsinISO/IEC27000andthefo1.1.o¼ringapp1.y.-ISOOn1.inebrowsingp1.atform:avai1.ab1.eathttps:/www.iso.org/obpanybodythatprocuresaproductorservicefromanotherpartySOURCE:ISO/IEC/IEEE15288:2015,4.1.1,modifiedOrigina1.Notewasremoved,theword"acquires”wasremovedfromthedefinition,andNote1toentrywasadded.process(3.7)forobtainingaproductorservice3.3mutua1.acknow1.edgementoftermsandconditionsunderwhichaworkingre1.ationshipisconductedb)informationSecurityqua1.ityandsupp1.ierproductsthatimpactstheacquirer'sanditscustomer'srequirements,monitoring,auditingandcertification.Regard1.essofthenatureimportantprovidedestab1.ishingsupp1.ierre1.ationshipinformationinformationhasimp1.ementedadequateacquirerinformationsecuritymanagementandcontro1.s,basedcasecriteriawhich5.5ICTsupp1.ychainconsiderationsShou1.dwithinbascdownorganization,ensuresIeve1.sinc1.udeinformationfo1.1.owing:WhiChtheacquirerwishestoSyStemSimPaetSerVices.acquirer'sinformationsecurity,inc1.udingcontinuityofinformation,informationtothesupp1.iedproductsandservices. Managementofintegrityofcompromised,e1.ectroniccryptographichashfunctionsorpro<iuct Managementofphysica1.securityoffaci1.itiesfromwhichproductsandservicesarede1.ivered. Managementinteractioninformationsecurityacquirers,tothesupp1.iers*interactionswithsupp1.iers,andtheprocessesacquirersacquisitionofaframeworkServiceszfo1.1.owingsetofstandardizedorganization-wideinformationandinformationsystems.c)agreementsincorporatingnegotiationinformationre-negotiationandcomp1.iancesupp1.yrequirementsragreementorThosethataddressrisks：ofc)Thoseenforcinga)orb)aboveontheotherorganization,e.g.bymanagingandreportingTheagreementbetweentheacquirerandsupp1.ierbindsbothorganizationsinimp1.ementingandmaintainingthosecontro1.s.beconsideredasofthepartofproductoraservice,visibi1.ityofensuresecurityshou1.dsecurityriskstotheacquirer'sinformationandinformationsystemsaremanaged.Inordertoidentifyandmanagetheseinformationsecurityrisks,theacquirershou1.dobtainassurancethatthesupp1.ierarenotnegotiab1.e,theshou1.dse1.ectasupp1.ier'sproductserviceIntheonwheretheseinc1.uderequirementsforinformationsecuritymanagementandcontro1.stoavoidormitigateriskstoanacceptab1.e1.eve1.Theacquirer'sacceptanceofasupp1.iersproduction,de1.iveryandoperationofproductsandserviceshavebeitscriteriaWhichThesecou1.dofanythesecurity Managementofpo1.itica1.,1.ega1.andinformationsecurityrisksre1.atingtothe1.oca1.environmentwhichandthe Managementofconfidentia1.ityofphysica1.ande1.ectronicdocumentsandotherinformationre1.ating Managementofintegrityofmateria1.sande1.ementstoensureproperhand1.ing,i.e,runiquemarkingsandprotective1.abe1.1.ing.orservicetoensureisnotsoftwareothere.g.Usinginformationre1.atedtothesupp1.ieddigita1.watermarks. Managementofinfo11nationsecurityre1.atingtoanyaspectofthesupp1.iers*businessandasitre1.atestootherc1.ients.supp1.iers*ofwithotherre1.atingToappropriate1.ymanageinformationsecurityinsupp1.ierre1.ationshipsthroughouttheICTsupp1.ychain,fortheshou1.dadoptproductsandwiththea) Estab1.ishinformationsecurityandcomp1.iancerequirementsforthesecureexchangeorsharingofb) Priortoacquisition,assessandmonitortheinfo11nationsecurityrisksassociatedWiththesupp1.ychain.Estab1.ishprocessforthesecurityoftheICTchaininc1.udiaconditionsforrighttoauditandrestrictingupstreamsupp1.iersthroughoutthemu1.tip1.e1.ayersoftheICTsupp1.ychain.d)CQiihoriQf1.s1.yinforrnationsccri(ntprtonUttrfDanccTeqUire1.noduPP1.1.CcKHWtdwtC9U4tpp1.内呻P1.iUrre1.ationshipchange.create.6Overa1.1.ISO/IEC27036structureandoverview6.1 PUrPOSeandstructureISO/IEC27036isamu1.ti-partdocumentthatprovidesrequirementsandguidanceforacquirersaiMuwtcg幻6tfmyttw1.3u11forIman。访6upp1.rj0a1.H6hip0麻伊providesnotiona1.Parti：OverviewandconceptsDPart2:RequirementsOOPart3：GudJinc>forICTsupp1.ychainsecurityPart4GIndCHreSforSerurityofc1.oudservicesFigure2ISO/IEC27036architectureISO/IEC27036-3andISO/IEC27036-4addressspecificaspectsofinformationsecuritysupp1.ierShiPS270363),昨由哦i11arhftHQOgf*NS6tt1.ted3RB364)thosere1.atedtoICTproductsandservices6.2OverviewofISO/IEC27036-1:OverviewandconceptsThisdocumentprovidesoverviewandconceptsofinformationserityinsupp1.ierre1.ationships.This6c3unent0viBrariewirKi(i/MXdi1.ft36n2t.RequirementsRIECe)伊则侬蜒翩曲ShiPS.f1.Ww三workgK朋唾rmw11ia施可呵佬聃品mentsandre1.evanthigh-1.eve1.requirementsstatements.ISO/IEC27036-2isanormativedocumentthatacquirerscanuseasasourceofagreementrequirementstodefine,manage,andmonitorsupp1.ierW册H啪辟a的偏ents£州卅迎僭EatiOn瑜3即掘胸连WM沛6的I三tca6曲仅为nenttotheacquirer.Forexamp1.e,anacquirermayrequirethatasupp1.ierbecertifiedinaccordancewithISO/IEC27001andinc1.udeadditiona1.requirementsandapp1.icab1.econtro1.sinaccordancewith酎ftCd硼解隰他Ctmd断du那FMft心S。由稚豳帆HtekAFqBi移精ents.mayeitherUSethe6.4 OverviewofISO1EC27036-3:Guide1.inesforinformationandcommunicationtechno1.ogy(ICT)supp1.ychainsecuritymanufacturedsupp1.iersandProvidedsupp1.iensupp1.ierexamp1.e,indirectre1.ationshipWithpartsacquirer.outsourced.Iiardwareupp1.ybackupsonformedexterna1.successiveorsupp1.ierhavere1.ationshipsbackupinherentdirectre1.ationshipinformationacquireraremanagementsufficientcontro1.simp1.ementedbysecurityriskschain.acquirer'sexamp1.e,acquirer'sinte1.1.ectua1.ProPerIyauditsofthesupp1.ier'ssystemsthatcanresu1.tintherisksassociatedWithandthcprovidcsadditiona1.practicessupp1.yaugmentItJugh-IeveIonrequirements6.5 OverviewofISO/IEC27036-4:Guide1.inesforsecurityofc1.oudser,icese1.asticcomputingStOrageC1.OUdcapabi1.ities.beProvidedcapabi1.itiesnumbermadeavai1.ab1.edoudserviceSupp1.yinformationinformatitjnmanagementandcontro1.simp1.ementation,c1.arityonro1.esandresponsibi1.itiesorthec1.oudservicecustomerorregu1.atoryinfringementthecomp1.ianceob1.igationsbyeithermayacquirerconfidentia1.ityasaconsequencefrominadequateaccesscontro1.sand1.ackofc1.oudservicecustomersuchServices-ProvidedSpecificaIIy,Itainvo1.vesmanagingtheinformationsecurityrisksassociatedsupp1.ierofISO/IEC27036-2andguidancefromISO/IEC27036-3.©ISO/IEC2021-A1.1.rightsreservedInsupp1.ierre1.ationships,anICTproductorserviceprocuredbytheacquirerisnotnecessari1.ybyotheroroperatedso1.e1.ybyatotheForasanaProdUctoftencontainsthethatOr,aninformationprocessingsendeecanbebui1.tonotherinformationprocessingservicesasitsunder1.yinginfrastructure.Forinstance,thesupp1.ierhasanagreementwithanothersupp1.iertomaintaintheThus,ICTtostorechainsareanby1.ocationevenwithprocessinterdependencies.Inasupp1.ychain,withthesecuritynota1.waysandmanageinforrnation1.hesupp1.ierinofaproductorservice.Theacquirersmanagementofanindirectsupp1.ier's(supp1.ierofthesupp1.ier)productorservicecanbeessentia1.forinformationserity:thisrequiresvisibi1.ityintothesupp1.yConverse1.y,supp1.ierscana1.soexperienceincreasedinformationsecurityriskscausedbytheinterconnectednessofacquirerandsupp1.iersystemsthatsometimesresu1.tsfromtheICTsupp1.ychain.Foraccesstosupp1.ierrequireinvasiveISO/IEC27036-3providesguide1.inestoacquirersandsupp1.iersformanaginginformationsecurityinISO/IEC27036-2ICTproductsservicesthatchain.bui1.dsthefromISO/IEC27036-2.Organizationsusec1.oudcomputingservicestotakeadvantageoftheeconomiesOfsca1.eprovidedbybasedorper-usageandmode1.servicecomputingcanTheseinareofdifferentonauti1.ityde1.iverymode1.s,e.g.rIaaS1.PaaSandSaaS.However,thishasintroducedinformationsecurityrisksassociatedwithgreatercomp1.exinterconnectednessofacquirerandsupp1.iersystems.Simi1.artoICTforchainsecuritysecurityrisks,thereisfor1.ackofForexamp1.e,ifinformationwithinc1.oudcomputingservicework1.oadstraversesnationa1.boundariesinrisksof1.ega1.,statutoryisunab1.econtro1.howofdoudserviceddivered,thisresu1.torsupp1.ier.Additiona1.1.y,mu1.ti-tenancjrandtheuseoftechno1.ogies,e.g.rvirtua1.izationandapp1.icationprogramminginterfaces(APIs),canintroducenewinformationSeCUrityriSkSofc1.oudcustomersegregation.ISO/IEC270364providesguide1.inesforinformationsecurityofc1.oudcomputingserviceswhichareoftenthroughsupp1.ychainfromperspectiveofboththeacquirerandwithc1.oudcomputingservicesthroughoutthesupp1.ierre1.ationship1.ifecyc1.e.Itbui1.dsontherequirementsinISO/IEC27036-2andprovidesadditiona1.practicesthatcanaugmenthigh-1.eve1.requirementsfromBib1.iography1 ISO9000:2015,Qua1.itymanagementsystemsFundamenta1.sandvocabu1.ary2 ISO/IEC/IEEE15288:2015,SystemsandsoftwareengineeringSystem1.if