《ISO IEC 27036-1-2021.docx》由会员分享,可在线阅读,更多相关《ISO IEC 27036-1-2021.docx(16页珍藏版)》请在课桌文档上搜索。
1、INTERNATIONA1.STANDARDISO/IEC27036-1editionSecond2021-09CybersecuritySupp1.ierre1.ationships一iewandconceptsCybersecuriteRe1.ationsavecIefurnisseurPartie1:Aperugra1.etconceptsReferencenumberISO/IEC27036-1.:2021(E)CISO/IEC2021COPYRIGHTPROTECTEDDOCUMENTIS0/1EC2021M11chefivdi1.itedotherwise*ri快ChBxXniEX
2、1.msitRiDhmw;ItmiihrCoPwnR.pnttjuiionpostingontheinternetoranInunnu1.withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOatt1.addressbe1.oworISO*smemberhodyinthecountryofth?rrcucstcr.三cB1.andonnct8r,GenevaPhone:t41227490111辆jtc:用洲部砾o.orgPub1.ishedinSwitzer1.andContentsForewordivIntrod
3、uction.2 Scope3 Normativereferences4 Termsanddefinitions5 Sy1.nbOiSandabbreviatedterms.Prob1.emdefinitionandkeyconceptsMotivesforestab1.ishingsupp1.ierre1.ationshipsTyPeSofsupp1.ierre1.ationships3444S.2.1Supp1.ierre1.ationshipsforproducts5.2.3 ICTsupp1.ychain5.2.4 C1.oudcomputing.4用为nit能那躺曲醺ity融版ier
4、ii三8hip国赤那蝌梅threats6551C*SUPP1.yChainOOnSIde1.9Overa1.1.1S0/IEC27036structureandoverview106.1 Purposeandstructure106.2 OvemewofISO/IEC27036-1:Overviewandconcepts106.3 OverviewofISO/IEC27036-2:Requirements-106.4 Guide1.inesforinformationandcommunicationtechno1.ogy(ICT)supp1.ychainsecurity116.5 Overvi
5、ewofISO/IEC27036-4:Guide1.inesforsecurityofc1.oudservices11Bib1.iography一MaMmuaa_MMMMMBMM“一12ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.GwnibcrsOfiJSOrm1.H65pactHd(S那而UAWHoPWWfcf1.otMandamdgion.StNnderddtghtechniMbcommitteesestab1.ishedbythe
6、respectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interestOtherinternationa1.W仞恋胡用rg胭Fftf*VH电热RMift由温搐版就Sheda掂瓜/r?J1.w1.ee,1SOIECTC1.Internationa1.Standardsaredraftedinaccordancewiththeru1.esgivenintheISO/IECDirectives,Part2.Tmitte
7、eistoprepareInternationa1.Standards.DraftInternationa1.Smitteearecircu1.atedtonationa1.bodiesforvoting.PfjMtionv,anInternationa1.Standardrequiresapprova1.byat1.east75%ofthenationa1.bodiesAttentionisdrawntothepossibi1.itythatsomeofthee1.ementsofthisdocumentmaybethesubjectofpatentrights.ISOandIECsha1.
8、1.notbehe1.dresponsib1.eforidentifyinganyora1.1.suchpatentrights.ISO/IEC27036-1waspreparedbyJointTechnica1.CommitteeISO/IECJTC1,Informationtechno1.ogy.SubcommitteeSC27.Informationsecurity,cybersecurity,andphvac),protection.3(SKeMUt!i!)iW1.ft1.ft.andrep1.acesthefirstedition(ISO/IEC27036-1:2014),ofwhi
9、chthisThemainchangescomparedtothepreriouseditionareasfo1.1.ows: changeoftit1.e; revisionofC1.ause2; a1.ignmentwithdraftingru1.es; ISO/IEC27036(a1.1.parts)addedinBib1.iography.A1.istofa1.1.partsintheISO/IEC27036seriescanbefoundontheISOwebsiteIntroductionre1.ationshipswithsupp1.iersofdifferentkindstha
10、tde1.iverproductsorservices.informationoftheinformationwhenprocessing.controbkquirersmonitorProdUaionPhySiCa1.deIiVeryIogiCa1.PrOCeSSeStotheThUs,acquirerstreatedsupp1.ierscanacquirerinformationorganizationsthroughappropriatemanagementeffective1.y1.nternationa1.informationsecurityinherentmanagingre1.
11、ationships.re1.ationshipsinordertosupp1.ierre1.ationshipsthataredescribedasgenera1.recommendationsin1SOIEC27002.consu1.tingsoftware,p1.atform,infrastructureoutsourcedapp1.ications(ASPs),orc1.oudcomputingservicesexpectedre1.ationshipadequate1.yrequirementstheandinformationsecuritydocument.Furthermore
12、,processesobjectives.supportintermsofinformationsecurityaswe1.1.astheaccomp1.ishmentof/IEC2021-A1.1.nghtsreservedMost(ifnota1.1.)organizationsaroundthewor1.d,whatevertheirsizeordomainsofactivities,haveSuchsupp1.ierscanhaveeitheradirectorindirectaccesstotheinformationandinformationsystemsoftheacquire
13、r,orwi1.1.providee1.ements(software,hardware,processes,orhumanresources)thatwi1.1.beinvo1.vedinsupp1.iertheyorcana1.sohaveandandaccessofsupp1.ier.beassessedandandbybothcauseandsupp1.iersecurityriskseachother.Theserisksneedtoofinformationsecurityandtheimp1.ementationofre1.evantcontro1.s.Inmanyinstanc
14、es,organizationshaveadoptedISO/IEC27001andISO1EC27002forthemanagementoftheirinformationsecurity.Suchcontro1.theStandardsshou1.da1.soHerisksadoptedthosesupp1.ierThisdocumentprovidesfurtherdetai1.edimp1.ementationguidanceonthecontro1.sdea1.ingWithvSupp1.ierre1.ationshipsinthecontextofthisdocumentinc1.
15、udeanysupp1.ierre1.ationshipthatcanhaveinformationsecurityimp1.ications,e.g.informationtechno1.ogy,hea1.thcareServicesJanitoriaIservices.(suchasservices,R&DOrpartnerships,asaservice).Boththesupp1.ierandacquirershou1.dtakeresponsibi1.ityforachievingtheobjectivesinthesupp1.ier-isacquirertheyandimp1.em
16、enttheaddressingguide1.inesofthisrisksthatCanoccur.Itfundamenta1.processesshou1.dbeimp1.ementedtosupportthesupp1.ier-acquirerre1.ationship(e.g.governance,businessmanagement,andoperationa1.andhumanresourcesmanagement).Thesebusinesswi1.1.provideCybersecurity-Supp1.ierre1.ationships一Overviewandconcepts
17、1 Scopeintender:Procurementmayormaynotinvo1.vetheexchangeofmonetaryfunds.3.2acquisition(SOURCE:ISO/IEC/IEEE15288:2015,4.1.2,modifiedTheWord“systemwasremoved.)agreementSOURCE:ISO/IEC/IEEE15288:2015,4.1.41ISOIEC2021-A1.1.rht5reservedPart1:ThisdocumentisanintroductorypartofISO/IEC27036.Itprovidesanover
18、viewoftheguidancecontextassistre1.ationships.Ita1.sosecuringtheirconceptsthataredescribeddetai1.thepartsofISO/IEC27036.Thisdocumentaddressesperspectivesofbothacquirersandsupp1.iers.Thefo1.1.owingdocumentsarereferredtointhetextinsuchawaythatsomeora1.1.oftheircontentundatedreferences,theofthisoftheFor
19、dateddocumenton1.ytheanyeditioncitedForISO/IEC27000,Informationtechno1.ogy-SecuritytechniquesInformationsecuritymanagementForthepurposesofthisdocument,thetermsanddefinitionsinISO/IEC27000andthefo1.1.oringapp1.y.-ISOOn1.inebrowsingp1.atform:avai1.ab1.eathttps:/www.iso.org/obpanybodythatprocuresaprodu
20、ctorservicefromanotherpartySOURCE:ISO/IEC/IEEE15288:2015,4.1.1,modifiedOrigina1.Notewasremoved,thewordacquires”wasremovedfromthedefinition,andNote1toentrywasadded.process(3.7)forobtainingaproductorservice3.3mutua1.acknow1.edgementoftermsandconditionsunderwhichaworkingre1.ationshipisconductedb)inform
21、ationSecurityqua1.ityandsupp1.ierproductsthatimpactstheacquirersanditscustomersrequirements,monitoring,auditingandcertification.Regard1.essofthenatureimportantprovidedestab1.ishingsupp1.ierre1.ationshipinformationinformationhasimp1.ementedadequateacquirerinformationsecuritymanagementandcontro1.s,bas
22、edcasecriteriawhich5.5ICTsupp1.ychainconsiderationsShou1.dwithinbascdownorganization,ensuresIeve1.sinc1.udeinformationfo1.1.owing:WhiChtheacquirerwishestoSyStemSimPaetSerVices.acquirersinformationsecurity,inc1.udingcontinuityofinformation,informationtothesupp1.iedproductsandservices. Managementofint
23、egrityofcompromised,e1.ectroniccryptographichashfunctionsorproforICTsupp1.ychainsecurityPart4GIndCHreSforSerurityofc1.oudservicesFigure2ISO/IEC27036architectureISO/IEC27036-3andISO/IEC27036-4addressspecificaspectsofinformationsecuritysupp1.ierShiPS270363),昨由哦i11arhftHQOgf*NS6tt1.ted3RB364)thosere1.a
24、tedtoICTproductsandservices6.2OverviewofISO/IEC27036-1:OverviewandconceptsThisdocumentprovidesoverviewandconceptsofinformationserityinsupp1.ierre1.ationships.This6c3unent0viBrariewirKi(i/MXdi1.ft36n2t.RequirementsRIECe)伊则侬蜒翩曲ShiPS.f1.Ww三workgK朋唾rmw11ia施可呵佬聃品mentsandre1.evanthigh-1.eve1.requirementss
25、tatements.ISO/IEC27036-2isanormativedocumentthatacquirerscanuseasasourceofagreementrequirementstodefine,manage,andmonitorsupp1.ierW册H啪辟a的偏ents州卅迎僭EatiOn瑜3即掘胸连WM沛6的I三tca6曲仅为nenttotheacquirer.Forexamp1.e,anacquirermayrequirethatasupp1.ierbecertifiedinaccordancewithISO/IEC27001andinc1.udeadditiona1.req
26、uirementsandapp1.icab1.econtro1.sinaccordancewith酎ftCd硼解隰他Ctmd断du那FMft心S。由稚豳帆HtekAFqBi移精ents.mayeitherUSethe6.4 OverviewofISO1EC27036-3:Guide1.inesforinformationandcommunicationtechno1.ogy(ICT)supp1.ychainsecuritymanufacturedsupp1.iersandProvidedsupp1.iensupp1.ierexamp1.e,indirectre1.ationshipWithpa
27、rtsacquirer.outsourced.Iiardwareupp1.ybackupsonformedexterna1.successiveorsupp1.ierhavere1.ationshipsbackupinherentdirectre1.ationshipinformationacquireraremanagementsufficientcontro1.simp1.ementedbysecurityriskschain.acquirersexamp1.e,acquirersinte1.1.ectua1.ProPerIyauditsofthesupp1.ierssystemsthat
28、canresu1.tintherisksassociatedWithandthcprovidcsadditiona1.practicessupp1.yaugmentItJugh-IeveIonrequirements6.5 OverviewofISO/IEC27036-4:Guide1.inesforsecurityofc1.oudser,icese1.asticcomputingStOrageC1.OUdcapabi1.ities.beProvidedcapabi1.itiesnumbermadeavai1.ab1.edoudserviceSupp1.yinformationinformat
29、itjnmanagementandcontro1.simp1.ementation,c1.arityonro1.esandresponsibi1.itiesorthec1.oudservicecustomerorregu1.atoryinfringementthecomp1.ianceob1.igationsbyeithermayacquirerconfidentia1.ityasaconsequencefrominadequateaccesscontro1.sand1.ackofc1.oudservicecustomersuchServices-ProvidedSpecificaIIy,It
30、ainvo1.vesmanagingtheinformationsecurityrisksassociatedsupp1.ierofISO/IEC27036-2andguidancefromISO/IEC27036-3.ISO/IEC2021-A1.1.rightsreservedInsupp1.ierre1.ationships,anICTproductorserviceprocuredbytheacquirerisnotnecessari1.ybyotheroroperatedso1.e1.ybyatotheForasanaProdUctoftencontainsthethatOr,ani
31、nformationprocessingsendeecanbebui1.tonotherinformationprocessingservicesasitsunder1.yinginfrastructure.Forinstance,thesupp1.ierhasanagreementwithanothersupp1.iertomaintaintheThus,ICTtostorechainsareanby1.ocationevenwithprocessinterdependencies.Inasupp1.ychain,withthesecuritynota1.waysandmanageinfor
32、rnation1.hesupp1.ierinofaproductorservice.Theacquirersmanagementofanindirectsupp1.iers(supp1.ierofthesupp1.ier)productorservicecanbeessentia1.forinformationserity:thisrequiresvisibi1.ityintothesupp1.yConverse1.y,supp1.ierscana1.soexperienceincreasedinformationsecurityriskscausedbytheinterconnectedne
33、ssofacquirerandsupp1.iersystemsthatsometimesresu1.tsfromtheICTsupp1.ychain.Foraccesstosupp1.ierrequireinvasiveISO/IEC27036-3providesguide1.inestoacquirersandsupp1.iersformanaginginformationsecurityinISO/IEC27036-2ICTproductsservicesthatchain.bui1.dsthefromISO/IEC27036-2.Organizationsusec1.oudcomputi
34、ngservicestotakeadvantageoftheeconomiesOfsca1.eprovidedbybasedorper-usageandmode1.servicecomputingcanTheseinareofdifferentonauti1.ityde1.iverymode1.s,e.g.rIaaS1.PaaSandSaaS.However,thishasintroducedinformationsecurityrisksassociatedwithgreatercomp1.exinterconnectednessofacquirerandsupp1.iersystems.S
35、imi1.artoICTforchainsecuritysecurityrisks,thereisfor1.ackofForexamp1.e,ifinformationwithinc1.oudcomputingservicework1.oadstraversesnationa1.boundariesinrisksof1.ega1.,statutoryisunab1.econtro1.howofdoudserviceddivered,thisresu1.torsupp1.ier.Additiona1.1.y,mu1.ti-tenancjrandtheuseoftechno1.ogies,e.g.
36、rvirtua1.izationandapp1.icationprogramminginterfaces(APIs),canintroducenewinformationSeCUrityriSkSofc1.oudcustomersegregation.ISO/IEC270364providesguide1.inesforinformationsecurityofc1.oudcomputingserviceswhichareoftenthroughsupp1.ychainfromperspectiveofboththeacquirerandwithc1.oudcomputingservicest
37、hroughoutthesupp1.ierre1.ationship1.ifecyc1.e.Itbui1.dsontherequirementsinISO/IEC27036-2andprovidesadditiona1.practicesthatcanaugmenthigh-1.eve1.requirementsfromBib1.iography1 ISO9000:2015,Qua1.itymanagementsystemsFundamenta1.sandvocabu1.ary2 ISO/IEC/IEEE15288:2015,SystemsandsoftwareengineeringSystem1.if
