ISO IEC 27036-1-2021 pdf Cybersecurity — Supplier relationships — Part 1: Overview and concepts

3.4 life cycle evolution of a system (3.11), product, service, project, or other human-made entity from conception through retirement [SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.23] 3.5 downstream handling processes (3.7 ) and movements of products and services that occur after an entity in the supply chain (3.10) takes custody of the products and responsibility for services [SOURCE: ISO 28001:2007, 3.10, modified — The word “goods” was replaced by “products and services”, and the definition was changed to better reflect this change in focus.] 3.6 outsourcing acquisition (3.2) of services (with or without products) in support of a business function for performing activities using supplier’s (3.8) resources rather than the acquirer’s (3.1) 3.7 process set of interrelated or interacting activities which transforms inputs into outputs [SOURCE: ISO 9000:2015, 3.4.1, modified — Notes were removed.] 3.8 supplier organization or an individual that enters into an agreement (3.3) with the acquirer (3.1) for the supply of a product or service Note 1 to entry: Other terms commonly used for supplier are contractor, producer, seller, or vendor. Note 2 to entry: The acquirer and the supplier can be part of the same organization. Note 3 to entry: Types of suppliers include those organizations that permit agreement negotiation with an acquirer and those that do not permit negotiation with agreements, e.g. end-user license agreements, terms of use, or open source products’ copyright or intellectual property releases. [SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.45, modified — Note 3 to entry was added.]
5.2.1 Supplier relationships for products When an acquirer enters a supplier relationship for products, it typically purchases products with agreed specifications for a predetermined period for manufacturing the acquirer ’s products. The supplier can have access to the acquirer ’s information when delivering and supporting the product which can result in information security risks to the acquirer ’s information. Failures to fulfil requirements, software vulnerabilities and malfunctions of products and inadvertent release of sensitive information can also cause information security risks to the acquirer. To manage these information security risks, the acquirer may wish to control supplier ’s access to the acquirer ’s information. The acquirer may also wish to control elements of the supplier ’s production processes to maintain quality of the products and to reduce information security risks derived from vulnerabilities, malfunctions or other failures to fulfil requirements. This, in turn, can pose information security risks to the supplier because the acquirer can have access to the supplier ’s information when controlling elements of the supplier ’s processes. Further, the acquirer may wish to have assurances regarding the specification of products, by monitoring or auditing of the production processes or requiring the supplier to obtain an independent certification to demonstrate existence of good practices and required processes. These assurance requirements need be agreed between the acquirer and supplier.