1. Home
  2. Moldova standards
  3. STM
  4. St ISO IEC 27036-3-2023

ISO IEC 27036-3-2023 PDF

St ISO IEC 27036-3-2023

Name in English:
St ISO IEC 27036-3-2023

Name in Russian:
Ст ISO IEC 27036-3-2023

Description in English:

Original standard ISO IEC 27036-3-2023 in PDF full version. Additional info + preview on request

Description in Russian:
Оригинальный стандарт ISO IEC 27036-3-2023 в PDF полная версия. Дополнительная инфо + превью по запросу
Document status:
Active
Format:
Electronic (PDF)
Delivery time (for English version):
1 business day
Delivery time (for Russian version):
365 business days
SKU:
stiso26002
Choose Document Language:
€25

Full title and description

Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security. This international standard provides guidance to product and service acquirers and to suppliers of hardware, software and services on identifying, assessing and managing information security risks arising from physically dispersed and multi‑layered supply chains, and on integrating information security into system and software life‑cycle processes.

Abstract

This document gives guidance for gaining visibility into and managing information security risks caused by physically dispersed and multi‑layered hardware, software and services supply chains; responding to risks that can impact organizations using these products and services; and integrating information security processes and practices into system and software life‑cycle processes (for example, ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207) while supporting controls described in ISO/IEC 27002. It does not cover business continuity/resiliency aspects of supply chains (ISO/IEC 27031 addresses ICT readiness for business continuity).

General information

  • Status: Published.
  • Publication date: June 2023 (Edition 2, published 2023-06).
  • Publisher: International Organization for Standardization (ISO) / IEC JTC 1/SC 27.
  • ICS / categories: 35.030 (IT security).
  • Edition / version: Edition 2 (ISO/IEC 27036-3:2023).
  • Number of pages: 35 pages (official ISO catalogue listing).

Scope

The standard provides guidance to both acquirers and suppliers regarding: (a) gaining visibility into and managing information security risks from complex, multi‑layered and geographically dispersed hardware, software and services supply chains; (b) responding to supply‑chain risks that can affect the security of organizations that use these products and services; and (c) integrating information security into system and software life‑cycle processes while aligning with controls in ISO/IEC 27002. It explicitly excludes business continuity/resiliency topics addressed by ISO/IEC 27031.

Key topics and requirements

  • Visibility and traceability: methods to improve transparency across multi‑tier supply chains.
  • Risk identification and assessment: guidance for assessing intentional (e.g., malicious code insertion, counterfeit components) and unintentional (e.g., weak development practices, vulnerabilities) threats in supply chains.
  • Supplier selection and management: recommendations for contractual, technical and procedural controls when procuring hardware, software and services.
  • Integration with lifecycle processes: advice on embedding security practices into system and software life‑cycle activities (aligned with ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207) and mapping to ISO/IEC 27002 controls.
  • Incident response and remediation: steps for responding to supply‑chain related security events that affect acquirers and users.

Typical use and users

Intended users include procurement and supply‑chain managers, information security and risk professionals, system and software engineers, product and service acquirers, and suppliers of hardware, software and related services who need guidance on managing supply‑chain security risks and embedding security into lifecycle processes.

Related standards

Key related standards and references include ISO/IEC 27002 (information security controls), ISO/IEC 27031 (ICT readiness for business continuity), ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207 (systems and software lifecycle processes), and other parts of the ISO/IEC 27036 series (supplier relationships).

Keywords

Supply chain security, supplier relationships, cybersecurity, hardware security, software supply chain, services supply chain, supply‑chain risk management, lifecycle security, ISO/IEC 27036.

FAQ

Q: What is this standard?

A: ISO/IEC 27036-3:2023 is Part 3 of the ISO/IEC 27036 series, titled "Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security." It provides guidance for managing information security risks in complex supply chains.

Q: What does it cover?

A: It covers guidance on visibility, risk assessment, supplier management, integration of security into system/software lifecycle processes, and responding to supply‑chain security incidents. It does not cover business continuity/resiliency topics (see ISO/IEC 27031).

Q: Who typically uses it?

A: Procurement and supply‑chain teams, information security and risk managers, system and software engineers, acquirers of products and services, and suppliers seeking to reduce supply‑chain security risk.

Q: Is it current or superseded?

A: Current. ISO/IEC 27036-3:2023 (Edition 2, published June 2023) is the active edition and replaces ISO/IEC 27036-3:2013.

Q: Is it part of a series?

A: Yes. It is part of the ISO/IEC 27036 series on supplier relationships (multiple parts covering requirements and guidance for supplier-related information security).

Q: What are the key keywords?

A: Supply chain security, supplier relationships, software supply chain, hardware supply chain, services supply chain, supply‑chain risk management, lifecycle security, ISO/IEC 27036.