没有合适的资源?快使用搜索试试~ 我知道了~
ISO IEC 27036-3
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
5星 · 超过95%的资源 5 下载量 24 浏览量
2021-09-03
01:50:20
上传
评论
收藏 14.8MB PDF 举报
温馨提示
试读
42页
ISO IEC 27036-3:2013 Information technology — Security techniques — Information security for supplier relationships — Part 3:Guidelines for information and communication technology supply chain security - 完整英文版(42页)
资源推荐
资源详情
资源评论
INTERNATIONAL
ST
ANDARD
1S0/IEC
27036
,
-3
Fi.
rst
edition
2013-11-15
Information
technology
-
Security
techniques
-
Information
security
for
supplier
r,elationship,s -- -
Part
3:
Guidelines
for
information
and
communication
technology
supply
chain
security
Technologies de /'information - Techniques
de
sec
urite
- Securite
d'information
pour
la relation
avec
le
fournisseur
-
Partie
3: Lignes directrices
pour
la securite de
la
cha.fne
de
fourniture
des techno1o9ies
de
la
commun
ication
et
de /'information
Refer
,e
n
ce
number
lSO/
I
EC
27036-3:2013(E)
© 1S0/IEC
2013
poorest
© ISO/IEC 2013 - All rights reserved
1S0/IEC
27036-3:2013(E]
Contents
Page
Fo
r,ewo
rd
..
....
..
.
....
.
...
........
.,..
..
....
.
.....
..
.
..........
..
....
,.
.
....
.
..........................
.
...
.
.....
.......
....
..
.
.................................
.,
...............
..
....
.
..
..,.
.....
..
..
.,.
.
...........................
.
...
......
.
.......
iv
Introduction
..
...
....
..
. .
...........
..
...
..
..............
.. ..
.
....
.
....
..
.
.............................................
.
......................................
.
.....
.
....
..
....
.
....
.....................
....
....................
..
.....
......
..
. v
1
Scope
.
...
......................
..
....
.
.....
.
...
.
..............................
...
................
....
.....
.
...
...
...
...
.........
..
...
..
....
.
...
..
.....
..
.
........
...
..
...
....
..
...
.
..
....
.
......
..
...
..
,.
....
..
.
........
...
...
..
...
.....
..
..
. 1
2 No·
rmative
referenc
•
es
.
....
.
...........
..
...
..
....
.
....
.
.....
..
...
..
....
.
....
..
....
......
..
...
..
....
.........
.
.....
..
..
...
..
.,
...
..
....
.
....
...
...
..
...
..
....
.
..
.
..
..
...
...
.
.....
..
..
....
.
......
.
...
..
....
..
. 1
3
Terms
and
definitio
,
ns
.........................
..
...
....
.
...........
.
...
....
.
.........
.
...
....
............
.....
..
.....................
..
...............................
.
........................
.
.....
...
.....
1
4
Structure
·
of
this
standard
.
....
...
.
.....
..
..
....
.
....
...
...
,.
.
.........
..
....
..
...
.
..
...
..
...
..
....
.
......
.
....
.
....
...
.
..
..
....
.
....
..
...
..
....
..
....
.
.....
.
....
..
...
...
...
..
....
.
....
...
....
.
....
.
..
2
5 Key
concepts
..
.
.....
.
....................
.
.....................................
.
.........................
.
.......................
..
..
..
.
........
...
......
.
..............
..
...
.
.......
...
.............
..........
.........
..
.......
2
5.1
Business
case for ICT
supply
chain
security
........
.
.......
.
...
..
.........
.
.....
.
.....
.
..................
.
.....................
.
......
.........
...
....
..
..
....
.
..
2
5.2
[CT
supp1y
chain
risks
and
associated
threats
.......................................
..
....
......
..
...
......
.
...
..
..........
........
.
.....
..
...................
3
5.3
Acq
uirer
and
supplier
relat
i
onship
typ-es
..
...
.
....
.
................
.
...
.
....
......
........
.
...........
..
.....
.
...
..
........
.
............
..
.........
..
........
..
..
. 3
5.4
Organizat[ona]
capability
.
...
..
....
.
....
..
...
...............
..
...
....
.
....
..
...
..
....
..
....
.
.....
.
....
...
..
...
...
..
....
.
....
..
....
..
...
..
....
..
....
..
...
...
...
..
...
..
....
.
......
.
....
.
..
4
5.5 Syste1n lifecycle
processes
...........................................
.
........
.......
................
..
.......
.
...
..
....
..
....
.
.....
......
..
...
...
.
..
....
.
......
.
....
..
....
.
......
.
.....
.
..
4
5.6
ISMS
processes
in
relat
i
on
to
system
life.cycle
processes
..........
.
.......
.
..
......
..
........
..
............
..
...
..
.
..................
..
..
....
...
S
5. 7
ISMS
i
nformation
security
contro
]s in
relation
to
1
CT
supply
chain
security
..
......
..
....
..
...................
S
5.8
Essential
ICT
supply
chain
security
practices
...
......
..
....
.
.....
.
................
..
...
..........................
..
......
...
......................................
S
6
KT
supply
chain
security
in
Lifecycle
Processes
.......
...
....................
..
...
...
...
..
...................
.
..................................................
:.
7
6.1
Agreement
Processes
.
.. ..
...
.....
..
....
.
....
..
......
.
....
.
....
...
....
......
.
....
..
.....................
.
......
..
...
....
..
.
..........
.
....
..
....
.
.................
.
...
..
....
.
....
..
.....
.
......
:.
7
6.2 Organizationa1 Project-Enabling Processes .
........
.
.,
..
...
....
.
......
..
.........................................
.
.........
..
.....................................
10
6.3
Project
Processes
.
......
..
....
.
.....
.
....
..
..................
.
........
..
..............
...
..........
.....
...
...
..
........
.
.....
.
.......
.......................
.
...
..
....
.
.............................
1
.3
6.4
·
Technical
Processes
...
....
.
....
..
...
..
....
.
......
..
..
...........
.
..
....
.
....
..
....
.
.......
...
..
.....
...
..
.
....
..
.,
...
..
....
.
....
.
.....
..
...
..
....
.
..
.
..
.
.....
..
....
..
...
..
....
.
....
...
....
...
..
I S
Annex
A
(informative)
Summary
of
Supply
and
Acquisition
Processes
from
ISO /IEC
15288
and
ISO/IEC
12207
.......
....
..
........
..
......
....
.
..
....
.
.....
..
....................
.
.......................................
.
.......
.
...
..
.
..
.......
..
...........
.
......
.
.........
.
....
..................
.
......
..
................................
24
Annex
B
(informative)
Clause 6
mapp
,
ing
to
1S0/IEC
27002
.
..........
.
....
.
....
.
...
........
..
...
..
...........
.
....
.
............
.
.........
.
....
..
..........
.
.....
35
Bi
.
bliography
.........
..
.......
.
......
....
..
..
............
..............................
...
.
.....
....
..............
...
............
..
...
......
....
...
.....
.
..
..
....
...
..........................
...
..
.
37
rn
poorest
iv
1S0/IEC
27036-3:2013(E)
Foreword
ISO
(the
International
Organization
for
Standardization]
and
I
EC
{the
.I
nternationaI
Electrotechnica]
Commission)
form
the
special
iz
,
ed
system
for
worldwide
standardization.
National
bodies
that
are
members
of
I
SO
or
IEC
partidpate
in
the
development
of
International
Standards
th
r
ough
technical
committees
estab1ished
by
the
respect
i
ve
organization
to
deal
with
particular
fields
of
technical
activity.
ISO
and
I
EC
t
echnical
committees
collaborate
in
fields
of
mutual
interest.
.
Other
internationa]
organizations
,.
governmental
and
non-governmental,
in
liaison
with
ISO
and
rnc,
a]so
take
part
in
the
work.
In
the
fie[d
of
information
technology,
I
SO
and
IEC
have
established
a
joint
technicaI
committee.
1
S0/IEC
~T
C 1.
I
nternational
Standards
a
re
drafted
in a
ccor
d
ance
with
the
rules
given in the ISO/I EC Directives,
Part
2.
The
main
task
of
the
joint
technical
committee
is
to
prepare
Internationa]
Standards.
Draft
lnternationa
J
Standards
adopted
by
the
joint
technical
committee
are
circu
l
ated
to
nationa
l
bodies
for
voting.
PubHcation
as
an
Internationa
l
Standard
requires
approval
by
at
east
75
%
of
the
nationa]
bodies
casting
a
vote.
At
tention
is
dr
a
wn
to
the
p
ossibility
that
some
of
the
dements
of
this
document
may
be
the
subject
of
patent
rights.
1S0
and
IEC
shan
not
be
he
ld
responsibl,e
for
identifying
any
or
a11
such
patent
rigllts.
lSO/IEC 27036-3
was
preparnd
by
Joint
Te
chnical
Committee
ISO/IEC
JTC
1,
. Information technology,
Subcommittee
SC
27, IT Security techniques.
1
S0/IEC
27036
consists
of
the
fo1lowing pa
rts,
under
the
general
title
Information techno.logy - Security
techniques - Information security
for
supplier relationships:
Part
1:
Overview
and
concepts
Part
2:
Requirements
Part
3:
Guidelines
for
information and communication tech no.logy supply chain security
The
foUowing
part
is
under
preparation:
-
Part
4.: Guidelines
for
security
of
cloud services.
© 1S0/IEC
2013
-A
ll ri
ghts
reserved
poorest
© ISO/IEC 2013 - All rights reserved
1S0/IEC
27036-3:2013(E]
Introduction
Information
and
Communication
Technology
(KT)
products
and
services
are
deve[oped,
integrated,
and
delivered
globally
through
deep
and
physically
d
isperse
d
supp]ychains.
[CT
products
are
assembled
from
many
components
provided
by
many
suppHers.
ICT
services
throughout
the
entire
supplier
re]ations
hip
are
also
delive
red
through
multiple
tiers
of
outsourcing
and
supply
chain
ing. Acq
uirers
do
not
h
ave
visibHity
in
o
the
practices
of
hardware,
software,
and
service
providers
beyond
first
or
possibly
second
Jink
of
the
supply
chain.
With
the
substantial
increase
in
the
number
of
organ
i
zations
and
people
who
"touch"
an
KT
product
or
service,
the
vis[bHity
into
the
practices
by
which
these
products
and
services
are
put
together
has
decreased
d
ramaticall
y.
This
lack
of
visibi1ity.
transparency,
and
traceability
into
the
ICT
supply
chain
poses
risks
to
acquiring
organizations.
This
standard
provides
guidance
to
ICT
product
and
service
acquirers
and
suppI
iers
to
reduce
or
manage
i
nformation
secur
i
ty
r isk.
This
s
ta
ndard
identifies
the
business
case
for
[CT
suppJy
cha
in
security,
specific
risks
and
re
l
ationship
types
as
well
as
how
to
develop
an
organizational
capability
to
manage
information
s,
ecudty
aspects
and
incorporate
a
Jifecyde
approach
to
manage
risks
supported
by
specific
controls
and
practices
.
[ts
ap
plication
is
expected
to
resu]t
in:
I
ncreased
ICT
supp]y
cha
in visibility
and
traceability
to
enhance
information
security
capability;
I
ncreased
understanding
by
the
acquirers
of
where
their
products
or
services
are
coming
from,
and
of
the
practices
used
to
deve]op,
integrate,
or
operate
these
products
or
services,
to
enhance
the
imp]ementation
of
information
security
requiremen
t
s;
In
case
of
an
information
security
compromise,
the
avai1ability
of
information
about
w
hat
may
have
be
en
compromised
and
who
the
involved
actors
may
be
.
T
his
internationa
l
standard
is
intended
to
be
used
by
all
types
of
organizations
that
acquire
or
supply
IC
T
products
and
services
in
the
!C
T
supply
chain
.
The
guidance
is
primari
ly
focused
on
the
initial
link
of
the
first
acquirer
and
supplier,
but
the
principle
steps
should
be
appHed
throughout
the
chaf
n,
.
starting
when
the
first
supplier
changes
its
role to
being
an
acquirer
and
so on. This
change
of roles
and
.ap
plying
the
same
steps
for
each
new
acquirer-supplier
Hnk
in
the
chain
is
the
essential
intention
of
the
standard.
By
following
thi.s
international
standar
d,
information
security
i
mplications
can
be
communicated
among
organizations
in
the
chain.
This
helps
identifying
in
formation
security
risks
and
their
causes
and
may
enhance
the
transparency
throughout
the
chain.
Info
rmation
security
concerns
related
to
supplier
relationships cover a
broad
range
of
scenarios
.
Organizations
desiring
to
improve
trust
within
their
ICT
supply
chain hou1d
defi
ne
the
ir
trust
boundaries,
evaluate
the
risk
assodated
with
their
supp
ly chain
activities,
and
then
deflne
and
implement:
appropriate
risk
identification
and
mitigation
techniques
to
reduce
the
risk
ofvulnerabjljties
being
introduced
through
their
JCT
supp,Jy
cha
in
.
ISO/rnc
2700
1
and
150/IEC
27002
framework
and
controls
provide
a
useful
starting
po
i
nt
for
identifying
appropriate
requirements
for
acquirers
and
suppliers
.. 1
50/IEC
27036
provides
further
detail
regarding
specific
requirements
to
be
used
in
establishing
and
monitoring
suppUer
relationships.
V
poorest
© ISO/IEC 2013 - All rights reserved
INTERNA
TI
ONAL STANDARD
ISO/IEC
27036-3:201.3(E)
Information
technology-
Security
techniques
-
Information
security
for
supplier
relationships
-- -
Part
3:
Guidelines
for
information
and
communication
technology
supply
chain
security
1 Scope
T
his
part
of
ISO/
JEC
27036
provides
product
and
ser
vice
acquire
rs
and
suppliers
in
ICT
supply
c
hain
with
guidance
on:
a)
gaining
visibi1ity
into
and
managing
the
i
nformation
security
risks
caused
by
p
hy
sica]ty
d
isperse
d
and
multi
-laye
red
IC
T
supp[y
chains;
b)
responding
to
risks
stemming
from
the
globa
l ICT
supply
cha
in
to
IC
T
products
and
services
that
can
have
an
Information
secu
r
it
y
imp
act
on
the
o
rgan
iz
atio
ns
using
these
produ
cts
and
ser
v
ices
.
T
hese
risks
can
be
related to organizational
as
weU
as technical
aspects
(e
.g.
insertion
of
malidous
c
ode
or
p,rese
nce
of
the
counterfeit
i
nformation
techno
l
ogy
(IT)
products);
c)
in
t
egrating
information
s
ecurity
processes
a
nd
p
ractices
i
nto
the
s
ystem
and
softwar
•e
lifecycle
processes,
described
in
1SO/IEC
1528
8
and
ISO/
IEC
122
07,
while
sup
porting
infor
mation
security
controls
,.
described
in
[SO/I
EC
2
7002.
This
part
of
ISO/ I
EC
2 70
36
does
not
in
du
de
business
continuity
management/resiliency
issues
involved
with
the
JC
T
supp
y
chain
. ISO/IEC
27031
ad
dre
sses
b
usi
ne
ss
continuity
.
2
Normative
references
The following
documents,
in
whole
or
in
part,
are
normatively
referenced
in
this
d
ocument
and
are
indispensable
for
its
application. For
dated
references,
only
the
edition
cited
appHes. For
undated
references,
the
latest
editi
on
of
the
referenced
doc
ument
(inclu
ding
any
amendments
) applies.
1S0/
]
EC
27000,
Information
technolo9y
- Sec
urit
y
techn
ique
s - Information
security
mana9ement
systems
-
Overview
and
vocabulary
ISO/]EC
27036-
1.
Information technology - Security
.tech
niques -
Inf
ormation securi
ty
for
supplier
relationships - P
art
1:
Overview
and
concepts
1S0/
mEC
27036-2,
Information technology -
Security
techniques - I
nformation
security
for
s
upp
lier
relationships -
Part
2: R
equirements
· ·
3 Terms
and
definitions
For
the
purposes
of
this
document,
the
terms
and
ddinitions
given in 1SO/l C 27000, ISO/I EC 27036-1
an
d
the
following
apply.
3.1
reUability
proper
ty
of
a
system
and
its
parts
to
perform
its
mission
accurately
and
without
failure
or
significant
degradat
i
on
·
poorest
剩余41页未读,继续阅读
资源评论
- zzyy11111112022-03-22用户下载后在一定时间内未进行评价,系统默认好评。
- weixin_454355222024-03-21超级好的资源,很值得参考学习,对我启发很大,支持!
- ybqq_02212023-09-10资源使用价值高,内容详实,给了我很多新想法,感谢大佬分享~
- minorsnow2022-07-21资源有一定的参考价值,与资源描述一致,很实用,能够借鉴的部分挺多的,值得下载。
- Grejoan2024-04-14感谢大佬,让我及时解决了当下的问题,解燃眉之急,必须支持!
alarmano
- 粉丝: 23
- 资源: 1万+
下载权益
C知道特权
VIP文章
课程特权
开通VIP
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功