PlaybookGLOBAL

ISO 27036 Compliance

A practical operating model for supplier relationship security based on ISO/IEC 27036.

Designed for security, procurement, legal, and ISMS teams building third-party risk programs that scale.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

ISO/IEC 27036 is a multi-part standard that provides requirements and guidance for acquirers and suppliers on how to secure information in supplier relationships. ISO/IEC 27036-2 is the normative requirements part and provides the life cycle process framework that can be used as agreement requirements. ISO/IEC 27036-3 adds hardware, software, and services supply chain guidance, and ISO/IEC 27036-4 adds cloud service guidance. In practice, compliance means you can run supplier relationship planning, supplier selection, supplier agreements, supplier monitoring, and supplier exit as repeatable processes with audit-ready evidence.

Section 1

Use the right part of the series for the right risk problem

Part 1 is the overview and concept layer. Part 2 is the normative requirements backbone. Part 3 adds deeper guidance for hardware, software, and services supply chain security, including life cycle process detail and essential supply chain practices. Part 4 addresses cloud service risks and acquisition controls.

A mature supplier program uses Part 2 as the common operating model and then brings in Part 3 or Part 4 where the supplier relationship risk profile demands it.

Use Part 3 when product integrity, software components, services dependencies, or transition and disposal risks matter
Use Part 4 when cloud service location, limited auditability, multi-tenancy, and provider chain visibility matter
Keep one supplier process frame even when different parts of the series are applied

Section 2

What ISO 27036 compliance should look like in practice

ISO 27036 is valuable because it turns third-party risk into lifecycle processes, not one-time questionnaires. It addresses both acquirers and suppliers, and explicitly acknowledges supply chain interdependencies and indirect suppliers.

A strong program ties risk tiering to: due diligence depth, contract clause requirements, ongoing monitoring cadence, and remediation enforcement.

Outcome to target: supplier risks are assessed and treated across the supplier relationship life cycle
Contract reality: security expectations are expressed as agreement requirements with measurable evidence deliverables
Audit standard: you can show tiering, due diligence, monitoring, exceptions, and remediation tracking

Recommended next step

Turn ISO 27036 Compliance into an operational assessment

Assessment Autopilot can take ISO 27036 Compliance from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on ISO 27036 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for ISO 27036 Compliance

Start from ISO 27036 Compliance and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through ISO 27036

Review your current process, evidence gaps, and next steps for ISO 27036 Compliance.

Explore next step

Section 3

Step 1 - Establish internal foundations (so supplier controls are enforceable)

ISO/IEC 27036-2 expects organizations to have foundational processes implemented or planned (business management, risk management, operations, HR, and information security).

Without internal foundations, supplier requirements cannot be enforced consistently.

Governance: define ownership across security, procurement, legal, and business owners
Risk model: tiering criteria and risk acceptance rules for third-party risk
Tooling: supplier inventory, evidence repository, and remediation tracking

Section 4

Step 2 - Run the supplier relationship life cycle as processes (not ad-hoc work)

ISO/IEC 27036-2 structures requirements around a supplier relationship life cycle and organizes requirements by life cycle processes. The intent is repeatability and predictability at scale.

Use the same process frame for every supplier relationship instance; adjust depth based on risk tier.

Supplier relationship planning: define goals, constraints, data types, and expected controls per tier
Supplier selection: due diligence and evidence requests based on risk; validate indirect suppliers where relevant
Supplier agreement: convert requirements into contract clauses + acceptance criteria + evidence delivery cadence
Supplier relationship management: monitor, reassess, handle changes, enforce remediation, and plan orderly transition or exit

Section 5

Step 3 - Manage indirect suppliers and supply chain visibility

ISO/IEC 27036-1 highlights that ICT products and services are often not manufactured or operated solely by one supplier; successive supplier relationships form supply chains with interdependencies.

Direct supplier controls can be insufficient; sometimes you need visibility into suppliers of the supplier (subcontractors/indirect suppliers).

Require disclosure of subcontractors where risk tier demands it (and define acceptable countries/locations where relevant)
Define flow-down obligations and ensure the supplier enforces them
Set audit and evidence models that balance transparency and supplier IP protection

Section 6

Step 4 - Cloud services supplier relationships (avoid responsibility gaps)

ISO/IEC 27036-1 notes cloud computing introduces complex interconnectedness and risks, including unclear roles and responsibilities. ISO/IEC 27036-4 provides guidelines for cloud services throughout the supplier relationship life cycle.

Treat cloud services as supply chains: multi-tenancy, virtualization, APIs, cross-border processing, limited customer audit rights, and provider-of-provider dependencies can introduce distinct risks and evidence needs.

Define roles and responsibilities clearly (customer vs provider) and bind them to contract clauses and evidence
Include cloud-specific evidence: access controls, segmentation/isolation, monitoring, and incident reporting responsibilities
Address cross-border and compliance constraints via provider disclosures and customer approvals
Use third-party assurance where individual customer audits are not practical for the service model

Section 7

Audit-ready evidence pack (what to keep current)

ISO 27036 is easiest to audit when you keep a single evidence index that maps supplier tier -> required clauses -> required evidence -> refresh cadence.

Build once, reuse: internal audit, customer assurance, regulator reviews, and procurement.

Supplier inventory with tiering and rationale (data types, system access, criticality)
Due diligence evidence: security questionnaires, certifications, reports, and gap remediation plans
Contract clause pack and deviations register (exceptions with approvals and compensating controls)
Ongoing monitoring: evidence refresh cadence, incident history, change notifications, and SLA performance

Primary sources