ISO/IEC 27036-2:2022

INTERNATIONAL ISO/IEC
STANDARD 27036-2
Second edition
2022-06
Cybersecurity — Supplier
relationships —
Part 2:
Requirements
Partie 2: Exigences
Reference number
© ISO/IEC 2022
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved

Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 1
5 Structure of this document .2
5.1 Clause 6 . 2
5.1.1 General . 2
5.1.2 Organizational project-enabling processes . 2
5.1.3 Technical management processes. 2
5.2 Clause 7 . 3
5.3 Relationship between Clause 6 and Clause 7 . 3
5.4 Annexes . 5
6 Information security in supplier relationship management . 5
6.1 Agreement processes . 5
6.1.1 Acquisition process . 5
6.1.2 Supply process . 7
6.2 Organizational project-enabling processes . 8
6.2.1 Life cycle model management process . 8
6.2.2 Infrastructure management process . 8
6.2.3 Project portfolio management process . 9
6.2.4 Human resource management process . 9
6.2.5 Quality management process . 10
6.2.6 Knowledge management process . 10
6.3 Technical management processes . 11
6.3.1 Project planning process . . 11
6.3.2 Project assessment and control process . 11
6.3.3 Decision management process. 11
6.3.4 Risk management process . 11
6.3.5 Configuration management process . 13
6.3.6 Information management process . 13
6.3.7 Measurement process .13
6.3.8 Quality assurance process . 14
6.4 Technical processes . . 14
6.4.1 Business or mission analysis process . 14
6.4.2 Architecture definition process. 14
7 Information security in a supplier relationship instance .15
7.1 Supplier relationship planning process . 15
7.1.1 Objective . 15
7.1.2 Inputs .15
7.1.3 Activities .15
7.1.4 Outputs . 16
7.2 Supplier selection process . 17
7.2.1 Objectives . 17
7.2.2 Inputs . 17
7.2.3 Activities . 17
7.2.4 Outputs . 21
7.3 Supplier relationship agreement process . 21
7.3.1 Objective . 21
7.3.2 Inputs .22
7.3.3 Activities . 22
iii
© ISO/IEC 2022 – All rights reserved

7.3.4 Outputs . 24
7.4 Supplier relationship management process . 25
7.4.1 Objectives . 25
7.4.2 Inputs . 26
7.4.3 Activities . 26
7.4.4 Outputs . 27
7.5 Supplier relationship termination process .28
7.5.1 Objectives .28
7.5.2 Inputs .28
7.5.3 Activities .28
7.5.4 Outputs .29
Annex A (informative) Correspondence between ISO/IEC/IEEE 15288 and this document .30
Annex B (informative) Correspondence between ISO/IEC 27002 controls and this document .32
Annex C (informative) Objectives from Clauses 6 and 7 .34
Bibliography .38
iv
© ISO/IEC 2022 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 27036-2:2014), which has been
technically revised.
The main changes are as follows:
— the structure and content have been aligned with the most recent version of ISO/IEC 15288.
A list of all parts in the ISO/IEC 27036 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
v
© ISO/IEC 2022 – All rights reserved

Introduction
Organizations throughout the world work with suppliers to acquire products and services. Many
organizations establish several supplier relationships to cover a variety of business needs, such as
operations or manufacturing. Conversely, suppliers provide products and services to several acquirers.
Relationships between acquirers and suppliers established for the purpose of acquiring a variety of
products and services may introduce information security risks to both acquirers and suppliers. These
risks are caused by mutual access to the other party’s assets, such as information and information
systems, as well as by the difference in business objectives and information security approaches. These
risks should be managed by both acquirers and suppliers.
This document:
a) specifies fundamental information security requirements for defining, implementing, operating,
monitoring, reviewing, maintaining and improving supplier and acquirer relationships;
b) facilitates mutual understanding of the other party’s approach to information security and
tolerance for information security risks;
c) reflects the complexity of managing risks that can have information security impacts in supplier
and acquirer relationships;
d) is intended to be used by any organization willing to evaluate the information security in supplier
or acquirer relationships;
e) is not intended for certification purposes;
f) is intended to be used to set a number of defined information security objectives applicable to a
supplier and acquirer relationship that is a basis for assurance purposes.
ISO/IEC 27036-1 provides an overview and concepts associated with information security in supplier
relationships.
ISO/IEC 27036-3 provides guidelines for the acquirer and the supplier for managing information
security risks specific to the ICT products and services supply chain.
ISO/IEC 27036-4 provides guidelines for the acquirer and the supplier for managing information
security risks specific to the cloud services.
vi
© ISO/IEC 2022 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27036-2:2022(E)
Cybersecurity — Supplier relationships —
Part 2:
Requirements
1 Scope
This document specifies fundamental information security requirements for defining, implementing,
operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships.
These requirements cover any procurement and supply of products and services, such as manufacturing
or assembly, business process procurement, software and hardware components, knowledge process
procurement, build-operate-transfer and cloud computing services.
This document is applicable to all organizations, regardless of type, size and nature.
To meet the requirements, it is expected that an organization has internally implemented a number
of foundational processes or is actively planning to do so. These processes include, but are not limited
to: business management, risk management, operational and human resources management, and
information security.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27036-1, Cybersecurity — Supplier relationships — Part 1: Overview and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and ISO/IEC 27036-1
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 Abbreviated terms
ASP application service provider
BCP business continuity plan
ICT information and communication technology
ISMS information security management system
© ISO/IEC 2022 – All rights reserved

ITT invitation to tender
PII personally identifiable information
RFP request for proposal
5 Structure of this document
5.1 Clause 6
5.1.1 General
Clause 6 defines fundamental and high-level information security requirements applicable to the
management of several supplier relationships. Any of the processes in Clause 6 can be applied to
individual supplier relationships at any point in that supplier relationship life cycle based on the
appropriate assessment of the risk.
The requirements are structured according to life cycle processes specified in ISO/IEC/IEEE 15288. The
requirements shall be applied by the acquirer and by the supplier to ensure that these organizations
are able to manage information security risks resulting from supplier relationships.
NOTE Clause 6 only references the ISO/IEC/IEEE 15288 life cycle processes that are relevant to information
security in supplier relationships.
Organizations can enter into a variety of supplier relationships. Suitable relationships between
acquirers and suppliers are achieved using agreements defining information security roles and
responsibilities with respect to the supplier relationship.
The following agreement processes support procurement or supply of a product or service from both
strategic and information security perspectives:
a) acquisition process;
b) supply process.
5.1.2 Organizational project-enabling processes
The organizational project-enabling processes are concerned with ensuring that the resources, such as
the financial ones, needed to enable the project to meet the needs and expectations of the organization’s
interested parties are met.
The following organizational project-enabling processes support the establishment of the environment
in which supplier relationships are planned or conducted:
a) life cycle model management process;
b) infrastructure management process;
c) project portfolio management process;
d) human resource management process;
e) quality management process;
f) knowledge management process.
5.1.3 Technical management processes
Technical management processes are concerned with rigorous project management and project
support, covering one or more suppliers.
© ISO/IEC 2022 – All rights reserved

The following technical management processes support the establishment of the environment in which
supplier relationship instances are planned or conducted:
a) project planning process;
b) project assessment and control process;
c) decision management process;
d) risk management process;
e) configuration management process;
f) information management process;
g) measurement process;
h) quality assurance process.
Technical processes are generally used by a supplier for the following purposes:
— define requirements for a product or service;
— transform these requirements into an effective product or service;
— sustain the provision of the procured or supplied product or service;
— permit consistent and quality reproduction of the procured or supplied product or service when
necessary;
— dispose of the product or service when it has been decided to retire it.
NOTE ISO/IEC 27036-3 provides guidance on other technical processes in addition to the ones defined in
this document.
5.2 Clause 7
Clause 7 defines fundamental information security requirements applicable to an acquirer and a
supplier within the context of a single supplier relationship instance.
These requirements are structured using the following supplier relationship life cycle:
a) supplier relationship planning process;
b) supplier selection process;
c) supplier relationship agreement process;
d) supplier relationship management process;
e) supplier relationship termination process.
Requirements in Clause 7 shall be applied by the acquirer and the supplier involved in a supplier
relationship to ensure that these organizations are able to manage relevant information security risks.
5.3 Relationship between Clause 6 and Clause 7
Figure 1 describes the scope of the fundamental information security requirements in connection with
the processes defined in Clauses 6 and 7.
© ISO/IEC 2022 – All rights reserved

Figure 1 — Scope of fundamental information security requirements defined in Clauses 6 and 7
© ISO/IEC 2022 – All rights reserved

Some of the text of 6.1 to 6.4 and of 7.1 to 7.5 is structured in tables which shall be interpreted as follows:
Acquirer
Text specific to the acquirer.

Supplier
Text specific to the supplier.

Acquirer Supplier
Text specific to both the acquirer and the supplier, unless explicitly stated.
Text specific to the acquirer. Text specific to the supplier.
5.4 Annexes
Annex A provides correspondence between subclauses of ISO/IEC/IEEE 15288 that are relevant to
supplier relationships and subclauses of this document.
Annex B provides correspondence between subclauses of this document and information security
controls listed in ISO/IEC 27002 that are relevant to supplier relationships.
Annex C provides the consolidated list of objectives that are stated in Clauses 6 and 7 for the acquirer
and the supplier.
6 Information security in supplier relationship management
6.1 Agreement processes
6.1.1 Acquisition process
6.1.1.1 Objective
The following objective shall be met by the acquirer for successfully managing information security
within the acquisition process:
— Establish a supplier relationship strategy that:
— is based on the information security risk tolerance of the acquirer;
— defines the information security foundation to use when planning, preparing, managing and
terminating the procurement of a product or service.
6.1.1.2 Activities
The minimum activities shown in Table 1 shall be executed by the acquirer to meet the objective defined
in 6.1.1.1.
Table 1 — Acquisition process activities
Acquirer
a) Define, implement, maintain and improve a supplier relationship strategy containing the following:
1) Management motives, needs and expectations from procuring products or services expressed from
business, operational, legal and regulatory perspectives.
2) Management commitment to allocating necessary resources.
© ISO/IEC 2022 – All rights reserved

Table 1 (continued)
Acquirer
3) An information security risk management framework to use for assessing information security risks
accompanying the procurement of a product or service.
NOTE  Subclause 6.3.4 defines information security requirements for the establishment of an infor-
mation security risk management framework.
4) A framework to use when defining information security requirements during the supplier relation-
ship planning process.
This framework shall be defined following information security guidelines and rules, such as infor-
mation security policy and information classification, established by the acquirer.
Information security requirements defined in this framework need to be customized to each supplier
relationship instance, considering type and nature of the product or service that is procured.
This framework shall also include the following:
i) methods for suppliers to provide evidence for adherence to the defined information security
requirements;
ii) methods for the acquirer to validate suppliers’ adherence to the defined information security
requirements and the frequency of such validation;
iii) processes for sharing information about information security changes, incidents and other rele-
vant events among the acquirer and suppliers.
5) A supplier selection criteria framework to use when selecting a supplier, which includes the following:
i) Methods for assessing the information security maturity required from a supplier.
The following elements can be requested from the supplier to evaluate its information security
maturity:
a) past security-relevant performance;
b) evidence of pro-active management of information security (e.g. holding an ISO/IEC 27001
certification relevant to the supply of the product or service);
c) evidence of documented and tested business continuity and ICT continuity plans.
ii) Methods to be used for assessing evidence provided by a supplier based on the defined informa-
tion security requirements.
iii) Methods for assessing supplier acceptance of the following:
a) information security requirements defined in the supplier relationship plan;
b) commitment to support the acquirer in its compliance monitoring and enforcement activi-
ties;
c) transition of the product or service supply that may be procured when it has been previous-
ly manufactured or operated by the acquirer or by a different supplier;
d) termination of the product or service supply.
iv) Supplier-specific requirements, to be defined in accordance with business, legal, regulatory,
architectural, policy and contractual expectations from the acquirer, such as:
a) financial strength of the supplier for being able to supply the product or service;
b) location of the supplier from which the product or service will be supplied.
6) High-level information security requirements to use when defining the following:
i) transition plan to transfer a product or service procured to a different supplier;
ii) information security change management procedure;
iii) information security incident management procedure;
iv) compliance monitoring and enforcement plan;
v) termination plan to terminate the procurement of a product or service.
b) Appoint an individual responsible for handling the information security aspects of the supplier relation-
ship strategy and ensure that this individual is appropriately and regularly trained.
© ISO/IEC 2022 – All rights reserved

Table 1 (continued)
Acquirer
c) Ensure the supplier relationship strategy is reviewed at least once a year, whenever significant business,
legal, regulatory, architectural, policy and contractual changes occur, or when a product or service being
procured can significantly impact the acquirer.
6.1.2 Supply process
6.1.2.1 Objective
The following objective shall be met by the supplier for successfully managing information security
within the supply process:
— Establish an acquirer relationship strategy that:
— is based on the information security risk tolerance of the supplier;
— defines the information security baseline to use when planning, preparing, managing and
terminating the supply of a product or service.
6.1.2.2 Activities
The minimum activities shown in Table 2 shall be executed by the supplier to meet the objective defined
in 6.1.2.1.
Table 2 — Supply process activities
Supplier
a) Define, implement, maintain and improve an acquirer relationship strategy containing the following:
1) management motives, needs and expectations from supplying of products or services expressed from
business, operational and legal perspectives;
2) management commitment to allocate necessary resources;
3) an information security risk management framework to use for assessing information security risks
that accompany the supply of a product or a service;
NOTE 1  6.3.4 defines information security requirements for the establishment of an information
security risk management framework.
4) an information security management framework by:
i) defining, implementing, maintaining and improving information security management within
the organization;
NOTE 2  An ISMS establishment based on ISO/IEC 27001 can serve to ensure adequate informa-
tion security management within the organization and to demonstrate its level to acquirers.
ii) ensuring that the supplier information security requirements stated in existing acquirer tender
documents and supplier relationship agreements conform to these requirements; any gap shall
be addressed to satisfy acquirer’s information security requirements of existing supplier
relationship agreements;
iii) defining a process to accept, interpret, apply and measure acquirer information security
requirements;
5) methods for:
i) demonstrating supplier’s capacity to supply a product or service of acceptable quality;
ii) providing evidence of adherence to information security requirements defined by acquirers;
6) high-level information security requirements to use when defining the following:
i) transition plan to support the transfer of a product or service supply when it has been
previously manufactured or operated by an acquirer or by another supplier;
ii) information security change management procedure;
© ISO/IEC 2022 – All rights reserved

Table 2 (continued)
Supplier
iii) information security incident management procedure;
iv) processes for sharing information about information security changes, incidents and other
relevant events among the supplier and acquirers;
v) process for handling corrective actions;
vi) termination plan to terminate the supply of a product or service;
b) appoint an individual responsible for handling the information security aspects of the acquirer
relationship strategy and ensure that this individual is appropriately and regularly trained;
c) ensure the acquirer relationship strategy is reviewed at least once a year, whenever significant business,
legal, regulatory, architectural, policy and contractual changes occur, or when a supplier relationship is
established that can significantly impact the supplier.
6.2 Organizational project-enabling processes
6.2.1 Life cycle model management process
The acquirer and the supplier shall establish the life cycle model management process when managing
information security in supplier relationships.
NOTE The purpose of this process is to define, maintain and ensure availability of policies, life cycle
processes, life cycle models and procedures for use by the organization. There are no specific information
security objectives and activities for acquirers or suppliers to consider when internally establishing this process.
6.2.2 Infrastructure management process
6.2.2.1 Objective
The following objective shall be met by the acquirer and the supplier for successfully managing
information security within the infrastructure management process:
— Provide the enabling infrastructure to support the organization in managing information security
within supplier relationships.
6.2.2.2 Activities
The minimum activities shown in Table 3 shall be executed by the acquirer and the supplier to meet the
objective defined in 6.2.2.1.
Table 3 — Infrastructure management process activities
Acquirer Supplier
a) Define, implement, maintain and improve physical and logical security infrastructure capabilities for
protecting acquirer’s or supplier’s assets, such as information and information systems.
b) Define, implement, maintain and improve contingency arrangements to ensure that the procurement or
the supply of a product or service can continue in the event of its disruption caused by natural causes or
by humans.
These arrangements should be based on information security risk assessments and associated treatment
plans resulting from the procurement or the supply of a product or service, and should include:
1) the provision of alternative, secure facilities for the product or service supply to continue;
2) escrow of information and proprietary technologies, such as application source code and
cryptographic keys, using a trusted third party;
3) recovery arrangements to ensure continued availability of information stored at contractor or
subcontractor premises;
© ISO/IEC 2022 – All rights reserved

Table 3 (continued)
Acquirer Supplier
4) alignment with business continuity constraints expressed by an acquirer or a supplier.
NOTE  The following International Standards provide requirements and guidelines on contingency
arrangements:
—  ISO/IEC 27031;
—  ISO 22313;
—  ISO 22301.
6.2.3 Project portfolio management process
6.2.3.1 Objective
The following objective shall be met by the acquirer and the supplier for successfully managing
information security within the project portfolio management process:
— Establish a process for considering information security and overall business mission implications
and dependencies for each individual project for those projects where suppliers or acquirers are
involved.
6.2.3.2 Activities
The minimum activities shown in Table 4 shall be executed by the acquirer and the supplier to meet the
objective defined in 6.2.3.1.
Table 4 — Project portfolio management process activities
Acquirer Supplier
a) Define, implement, maintain and improve a process for identifying and categorizing suppliers or acquirers
based on the sensitivity of the information shared with them and on the access level granted to them to
acquirer’s or supplier’s assets, such as information and information systems;
NOTE  A supplier having very limited access to the acquirer’s assets, such as information and information
systems, can be categorized as not critical, while a supplier developing critical business software for the
acquirer can be categorized as critical.
b) define, implement, maintain and improve a
process for ensuring that information security
considerations are integrated into the evaluation
of supplier performance as a part of each individ-
ual project;
c) ensure that project closeout involving a supplier or an acquirer integrates information security activities
documented in a termination plan.
6.2.4 Human resource management process
6.2.4.1 Objective
The following objective shall be met by the acquirer and the supplier for successfully managing
information security within the human resource management process:
— Ensure the acquirer and the supplier are provided with necessary human resources including
screening requirements, confidentiality requirements, training and awareness to ensure personnel
competences are regularly maintained and consistent with information security needs in supplier
relationships.
© ISO/IEC 2022 – All rights reserved

6.2.4.2 Activities
The minimum activities shown in Table 5 shall be executed by the acquirer and the supplier to meet the
objective defined in 6.2.4.1.
Table 5 — Human resource management process activities
Acquirer Supplier
a) Consider the following in the information security training and awareness programme as part of the
human resource management process:
1) information security guidelines and rules, such as the information security policy and information
classification, for personnel dealing with supplier relationships;
2) information security requirements generally
defined in a supplier relationship agreement,
for demonstrating the existence of such
requirements that meet acquirer’s needs and
expectations;
3) suppliers’ past performance in regard to their
level of conformity with acquirer’s informa-
tion security requirements, for demonstrat-
ing potential lack of compliance;
b) identify and assess personnel with regard to their access to and ability to disclose or modify information
within a supplier relationship, such as sensitive information or intellectual property that should not be
disclosed or modified;
c) ensure that identified personnel, especially those engaged in the information security or in the decision of
the procurement or supply of a product or service, have adequate competencies and qualifications;
d) train these personnel on information security aspects of supplier relationships to particularly ensure that
the handling of sensitive information is correctly understood;
e) ensure that detailed criminal and background checks have been performed for personnel assuming key
positions in supplier relationships, where permissible by law;
f) designate contact points and their backups for critical aspects of each supplier relationship including
operations and maintenance to ensure minimum impact when personnel leave the organization.
6.2.5 Quality management process
The acquirer and the supplier shall establish a quality management process when managing information
security in supplier relationships.
NOTE The purpose of this process is to ensure that products and services meet organization quality
objectives and achieve customer satisfaction. There are no specific information security objectives and activities
for acquirers and suppliers to consider when internally establishing this process.
6.2.6 Knowledge management process
The acquirer and the supplier shall establish the knowledge management process when managing
information security in supplier relationships.
NOTE The purpose of this process is to create the capability and assets that enable the organization to
exploit opportunities to re-apply existing knowledge. There are no specific information security objectives and
activities for acquirers or suppliers to consider when internally establishing this process.
© ISO/IEC 2022 – All rights reserved

6.3 Technical management processes
6.3.1 Project planning process
6.3.1.1 Objective
The following objective shall be met by the acquirer and the supplier for successfully managing
information security within the project planning process:
— Establish a project planning process addressing information security of supplier relationships.
6.3.1.2 Activities
The minimum activities shown in Table 6 shall be executed by the acquirer and the supplier to meet the
objective defined in 6.3.1.1.
Table 6 — Project planning process activities
Acquirer Supplier
— Include the following as part of the project planning process:
— impacts on project costs, plans and schedule of information security requirements defined for assets
used within the procurement or supply of a product or service;
— integration of information security into relevant project roles, responsibilities, accountabilities and
authorities;
— securing sensitive internal information that can be impacted by supplier relationships, such as
financial, operational, intellectual property, PII for customers or staff;
— resources, such as financial ones, that are required to ensure protection of assets.
6.3.2 Project assessment and control process
The acquirer and the supplier shall establish a project assessment and control process when managing
information security in supplier relationships.
NOTE The purpose of this process is to determine the status of the project and direct project plan
execution to ensure that the project performs according to plans and schedules, within projected budgets, to
satisfy technical objectives. There are no specific information security objectives and activities for acquirers or
suppliers to consider when internally establishing this process (adapted from ISO/IEC/IEEE 15288).
6.3.3 Decision management process
The acquirer and the supplier shall establish a decision management process when managing
information security in supplier relationships.
NOTE The purpose of this process is to select the most beneficial course of project action where alternatives
exist. There are no specific information security objectives and activities for acquirers or suppliers to consider
when internally establishing this process (adapted from ISO/IEC/IEEE 15288).
6.3.4 Risk management process
6.3.4.1 Objective
The following objective shall be met by the acquirer and the supplier for successfully managing
information security within the risk management process:
— Continuously address information security risks in supplier relationships and throughout their
life cycle including re-examining them periodically or when significant business, legal, regulatory,
architectural, policy and contractual changes occur.
...