What is ISO/IEC 27036?
ISO/IEC 27036 is an international standard that provides guidelines for information security in collaborations between organisations, particularly in the digital supply chain. The standard is part of the ISO 27000 family and focuses on protecting information flows between organisations and their external partners.
ISO 27036 helps you manage cyber risks across suppliers, service providers, cloud providers or software developers.
📦 Structure of ISO 27036
| Part | Topic |
|---|---|
| Part 1: Overview | Concepts, principles and general approach |
| Part 2: Contracts | Security within supplier contracts |
| Part 3: ICT suppliers | Specifically for relationships with ICT service providers and IT products |
| Part 4: Supply Chain | Focus on information security within the supply chain |
🧠 What does ISO 27036-4 (Supply Chain) cover?
ISO 27036-4 is the most relevant for OT/ICS environments and covers:
- Assessment of risks arising from collaboration with third parties
- Requirements for Supplier Security and information exchange
- Securing integrations (e.g. via APIs, firmware or remote access)
- Monitoring of products and services delivered throughout the lifecycle
- Collaboration on incidents and vulnerability disclosure (Responsible Disclosure)
🔐 Why is ISO 27036 important?
| Risk | Without an ISO 27036 approach |
|---|---|
| Insecure firmware/software | No oversight of component security or updates |
| Unreliable suppliers | No due diligence or risk profile during onboarding |
| Supply chain attacks (such as 3CX) | No detection or response on tampered updates |
| Insufficient contractual security | No legal basis for audits, controls or compliance |
ISO 27036 is complementary to IEC 62443-2-4, which sets technical requirements for suppliers of industrial systems.
✅ Best practices in line with ISO 27036
| Measure | Explanation |
|---|---|
| Third Party Risk Management | Risk assessment of suppliers, including subcontractors |
| Supplier Security policy | Contractually documenting security requirements |
| SBOM requirement | Suppliers must be transparent about the components they use |
| Access Control for externals | Restrict access and log everything via PAM or Jump Server |
| Monitoring & audits | Regular checks on compliance with security agreements |
📌 In summary
ISO 27036 provides a structured approach to securing digital collaboration with external parties. In OT and industrial environments, it is indispensable for managing supply chain risks, contractual arrangements and software integrity.