The ISO 27036-1 standard provides detailed guidance on implementing the ISO 27002 information security controls that deal with supplier relationships.
It addresses the supplier relationship from both the suppliers’ and the acquirers’ points of view.
Most organisations have relationships with suppliers that involve the transfer of information: suppliers can have direct or indirect access to acquirers' information and information systems, and acquirers can have access to suppliers' information.
Acquirers and suppliers can therefore present information security risks to each other. These risks should be managed by both parties.
The ISO 27036-1 standard is an introductory part of ISO 27036. It provides an overview of the guidance intended to help all organisations – whether supplier or acquirer – to secure their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO 27036.
In the context of this standard, supplier relationships include any that have information security implications, such as information technology, healthcare services, janitorial services, consulting services, R&D partnerships, outsourced applications (ASPs) or Cloud computing services (such as software, platform or infrastructure as a service).