ISOIEC27036-3资源-CSDN文库

版权申诉

5星 · 超过95%的资源 24 浏览量 2021-09-03 01:50:20 上传评论收藏 14.8MB PDF 举报

资源推荐

资源详情

资源评论

INTERNATIONAL

ANDARD

1S0/IEC

27036

-3

Fi.

rst

edition

2013-11-15

Information

technology

Security

techniques

Information

security

for

supplier

r,elationship,s -- -

Part

Guidelines

for

information

and

communication

technology

supply

chain

security

Technologies de /'information - Techniques

sec

urite

- Securite

d'information

pour

la relation

avec

fournisseur

Partie

3: Lignes directrices

pour

la securite de

cha.fne

fourniture

des techno1o9ies

commun

ication

de /'information

Refer

number

lSO/

27036-3:2013(E)

2013

poorest

1S0/IEC

27036-3:2013(E]

Contents

Page

r,ewo

....

...

........

.,..

....

.....

..........

....

..........................

...

.....

.......

....

.................................

...............

....

..,.

.....

.,.

...........................

...

......

.......

Introduction

...

....

. .

...........

...

..............

.. ..

....

.............................................

......................................

.....

....

.....................

....

....................

.....

......

. v

Scope

...

......................

....

.....

...

..............................

...

................

....

.....

...

.........

...

....

...

.....

........

...

....

...

....

......

...

....

........

...

.....

. 1

2 No·

rmative

referenc

•

....

...........

...

....

.....

...

....

......

...

....

.........

.....

...

....

...

....

...

.....

....

......

...

....

. 1

Terms

and

definitio

.........................

...

....

...........

...

....

.........

...

....

............

.....

.....................

...............................

........................

.....

...

.....

Structure

this

standard

....

...

.....

....

...

.........

....

...

....

......

....

...

....

...

....

.....

....

...

....

...

....

5 Key

concepts

.....

....................

.....................................

.........................

.......................

........

...

......

..............

...

.......

...

.............

..........

.........

.......

5.1

Business

case for ICT

supply

chain

security

........

.......

...

.........

.....

..................

.....................

......

.........

...

....

5.2

[CT

supp1y

chain

risks

and

associated

threats

.......................................

....

......

...

......

...

..........

........

.....

...................

5.3

Acq

uirer

and

supplier

relat

onship

typ-es

...

....

................

...

....

......

........

...........

.....

...

........

............

.........

........

. 3

5.4

Organizat[ona]

capability

...

....

...

...............

...

....

...

....

.....

....

...

....

...

....

...

....

......

....

5.5 Syste1n lifecycle

processes

...........................................

........

.......

................

.......

...

....

.....

......

...

....

......

....

......

.....

5.6

ISMS

processes

relat

system

life.cycle

processes

..........

.......

......

........

............

...

..................

....

...

5. 7

ISMS

nformation

security

contro

]s in

relation

supply

chain

security

......

....

...................

5.8

Essential

ICT

supply

chain

security

practices

...

......

....

.....

................

...

..........................

......

...

......................................

supply

chain

security

Lifecycle

Processes

.......

...

....................

...

...................

..................................................

6.1

Agreement

Processes

.. ..

...

.....

....

......

....

...

....

......

....

.....................

......

...

....

..........

....

.................

...

....

.....

......

6.2 Organizationa1 Project-Enabling Processes .

........

...

....

......

.........................................

.........

.....................................

6.3

Project

Processes

......

....

.....

....

..................

........

..............

...

..........

.....

...

........

.....

.......

.......................

...

....

.............................

6.4

Technical

Processes

...

....

...

....

......

...........

....

.......

...

.....

...

....

...

....

.....

...

....

.....

....

...

....

...

....

...

I S

Annex

(informative)

Summary

Supply

and

Acquisition

Processes

from

ISO /IEC

15288

and

ISO/IEC

12207

.......

....

........

......

....

.....

....................

.......................................

.......

...

.......

...........

......

.........

....

..................

......

................................

Annex

(informative)

Clause 6

mapp

ing

1S0/IEC

27002

..........

....

...

........

...

...........

....

............

.........

....

..........

.....

bliography

.........

.......

......

....

............

..............................

...

.....

....

..............

...

............

...

......

....

...

.....

....

...

..........................

...

poorest

1S0/IEC

27036-3:2013(E]

Introduction

Information

and

Communication

Technology

(KT)

products

and

services

are

deve[oped,

integrated,

and

delivered

globally

through

deep

and

physically

isperse

supp]ychains.

[CT

products

are

assembled

from

many

components

provided

many

suppHers.

ICT

services

throughout

the

entire

supplier

re]ations

hip

are

also

delive

red

through

multiple

tiers

outsourcing

and

supply

chain

ing. Acq

uirers

not

ave

visibHity

the

practices

hardware,

software,

and

service

providers

beyond

first

possibly

second

Jink

the

supply

chain.

With

the

substantial

increase

the

number

organ

zations

and

people

who

"touch"

product

service,

the

vis[bHity

into

the

practices

which

these

products

and

services

are

put

together

has

decreased

ramaticall

This

lack

visibi1ity.

transparency,

and

traceability

into

the

ICT

supply

chain

poses

risks

acquiring

organizations.

This

standard

provides

guidance

ICT

product

and

service

acquirers

and

suppI

iers

reduce

manage

nformation

secur

r isk.

This

ndard

identifies

the

business

case

for

[CT

suppJy

cha

security,

specific

risks

and

ationship

types

well

how

develop

organizational

capability

manage

information

ecudty

aspects

and

incorporate

Jifecyde

approach

manage

risks

supported

specific

controls

and

practices

[ts

plication

expected

resu]t

in:

ncreased

ICT

supp]y

cha

in visibility

and

traceability

enhance

information

security

capability;

ncreased

understanding

the

acquirers

where

their

products

services

are

coming

from,

and

the

practices

used

deve]op,

integrate,

operate

these

products

services,

enhance

the

imp]ementation

information

security

requiremen

case

information

security

compromise,

the

avai1ability

information

about

hat

may

have

compromised

and

who

the

involved

actors

may

his

internationa

standard

intended

used

all

types

organizations

that

acquire

supply

products

and

services

the

supply

chain

The

guidance

primari

focused

the

initial

link

the

first

acquirer

and

supplier,

but

the

principle

steps

should

appHed

throughout

the

chaf

starting

when

the

first

supplier

changes

its

role to

being

acquirer

and

so on. This

change

of roles

and

.ap

plying

the

same

steps

for

each

new

acquirer-supplier

Hnk

the

chain

the

essential

intention

the

standard.

following

thi.s

international

standar

information

security

mplications

can

communicated

among

organizations

the

chain.

This

helps

identifying

formation

security

risks

and

their

causes

and

may

enhance

the

transparency

throughout

the

chain.

Info

rmation

security

concerns

supplier

relationships cover a

broad

range

scenarios

Organizations

desiring

improve

trust

within

their

ICT

supply

chain hou1d

defi

the

trust

boundaries,

evaluate

the

risk

assodated

with

their

supp

ly chain

activities,

and

then

deflne

and

implement:

appropriate

risk

identification

and

mitigation

techniques

reduce

the

risk

ofvulnerabjljties

being

introduced

through

their

JCT

supp,Jy

cha

ISO/rnc

2700

and

150/IEC

27002

framework

and

controls

provide

useful

starting

for

identifying

appropriate

requirements

for

acquirers

and

suppliers

.. 1

50/IEC

27036

provides

further

detail

regarding

specific

requirements

used

establishing

and

monitoring

suppUer

relationships.

poorest

INTERNA

ONAL STANDARD

ISO/IEC

27036-3:201.3(E)

Information

technology-

Security

techniques

Information

security

for

supplier

relationships

-- -

Part

Guidelines

for

information

and

communication

technology

supply

chain

security

1 Scope

his

part

ISO/

JEC

27036

provides

product

and

ser

vice

acquire

and

suppliers

ICT

supply

hain

with

guidance

on:

gaining

visibi1ity

into

and

managing

the

nformation

security

risks

caused

sica]ty

isperse

and

multi

-laye

red

supp[y

chains;

responding

risks

stemming

from

the

globa

l ICT

supply

cha

products

and

services

that

can

have

Information

secu

imp

act

the

rgan

atio

using

these

produ

cts

and

ser

ices

hese

risks

can

related to organizational

weU

as technical

aspects

.g.

insertion

malidous

ode

p,rese

nce

the

counterfeit

nformation

techno

ogy

(IT)

products);

egrating

information

ecurity

processes

ractices

nto

the

ystem

and

softwar

•e

lifecycle

processes,

described

1SO/IEC

1528

and

ISO/

IEC

122

07,

while

sup

porting

infor

mation

security

controls

described

[SO/I

7002.

This

part

ISO/ I

2 70

does

not

business

continuity

management/resiliency

issues

involved

with

the

supp

chain

. ISO/IEC

27031

dre

sses

usi

continuity

Normative

references

The following

documents,

whole

part,

are

normatively

referenced

this

ocument

and

are

indispensable

for

its

application. For

dated

references,

only

the

edition

cited

appHes. For

undated

references,

the

latest

editi

the

referenced

doc

ument

(inclu

ding

any

amendments

) applies.

1S0/

]

27000,

Information

technolo9y

- Sec

urit

techn

ique

s - Information

security

mana9ement

systems

Overview

and

vocabulary

ISO/]EC

27036-

Information technology - Security

.tech

niques -

Inf

ormation securi

for

supplier

relationships - P

art

Overview

and

concepts

1S0/

mEC

27036-2,

Information technology -

Security

techniques - I

nformation

security

for

upp

lier

relationships -

Part

2: R

equirements

· ·

3 Terms

and

definitions

For

the

purposes

this

document,

the

terms

and

ddinitions

given in 1SO/l C 27000, ISO/I EC 27036-1

the

following

apply.

3.1

reUability

proper

system

and

its

parts

perform

its

mission

accurately

and

without

failure

significant

degradat

poorest

剩余41页未读，继续阅读

评论收藏

内容反馈

版权申诉

zzyy1111111

2022-03-22

用户下载后在一定时间内未进行评价，系统默认好评。
weixin_45435522

2024-03-21

超级好的资源，很值得参考学习，对我启发很大，支持！
ybqq_0221

2023-09-10

资源使用价值高，内容详实，给了我很多新想法，感谢大佬分享~
minorsnow

2022-07-21

资源有一定的参考价值，与资源描述一致，很实用，能够借鉴的部分挺多的，值得下载。
Grejoan

2024-04-14

感谢大佬，让我及时解决了当下的问题，解燃眉之急，必须支持！

alarmano

粉丝: 23
资源: 1万+

ISO IEC 27036-3

最新资源

ISO IEC 27036-3

ISO IEC 27036

ISO IEC 27036-4

ISO IEC 27036-1

ISO IEC 27034-3

ISO IEC 15026-

ISO IEC 27036-3-2013中文 通信和信息技术供应链的安全指导原则.pdf

ISO IEC 27036-1-2021中文 概述和概念.pdf

ISO IEC 27036-4-2016中文 第 4 部分 采矿服务安全的指导原则.pdf

ISO/IEC 13818-2

ISO IEC 29147

ISO IEC 29161

ISO-IEC 10373-6

ISO IEC 14102

ISO IEC 27036-3-2023网络安全 — 供应商关系 — 第 3 部分：硬件、软件和服务供应链安全指南.rar

ISO IEC 20000-3-2019中文-信息技术-服务管理-第3部分：ISO IEC 20000-1的范围定义和适用性指南

ISO IEC 20000-3-2019 信息技术-服务管理-第3部分：ISO IEC 20000-1的范围定义和适用性指南.

最新完整版标准 ISO IEC 20000-3-2019 信息技术-服务管理-第3部分：定义和适用性指南.pdf

ISO-IEC 13818-1

ISO_IEC_17799

ISO-IEC 170252005

ISO IEC 24091

ISO IEC 30130

最新完整版标准 ISO IEC 20000-3-2019中文-信息技术-服务管理-第3部分：ISO 20000-1范围定义和指南

ISO IEC 27036-2-2022中文 网络安全 - 供应商关系第 2 部分： 要求.pdf

ISO IEC 20000-6

ISO IEC 18000-3-2010.pdf

最新资源

ISO IEC 27036-3-2013中文通信和信息技术供应链的安全指导原则.pdf

ISO IEC 27036-1-2021中文概述和概念.pdf

ISO IEC 27036-4-2016中文第 4 部分采矿服务安全的指导原则.pdf

ISO IEC 27036-2-2022中文网络安全 - 供应商关系第 2 部分：要求.pdf