ClausesGLOBAL

ISO 27036 Contract Security Clauses

A contract clause pack to operationalize supplier security requirements and evidence deliverables.

Aligned to ISO/IEC 27036 supplier relationship requirements, ICT supply chain guidance, and cloud services supplier guidance.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated Mar 4, 2026
Overview

ISO/IEC 27036-2 provides high-level requirements that acquirers can use as agreement requirements to define, manage, and monitor supplier agreements. ISO/IEC 27036-1 highlights supply chain interdependencies and indirect suppliers. ISO/IEC 27036-3 adds supply chain guidance for hardware, software, and services. ISO/IEC 27036-4 adds cloud service guidance where roles and responsibilities can be unclear. This page turns those ideas into clause patterns with measurable obligations and evidence artifacts.

Section 1

How to use this clause pack (tiered, evidence-first)

Bind clauses to supplier tier. High-risk suppliers should accept stronger clauses and higher evidence cadence; low-risk suppliers can use lighter obligations.

For each clause: define the obligation, define acceptance criteria, define the evidence deliverable, and define the refresh cadence.

  • Tiering: clause set varies by access, data sensitivity, and criticality
  • Evidence: require evidence artifacts that map to obligations (not marketing statements)
  • Exceptions: document deviations, approvals, and compensating controls
Recommended next step

Keep ISO 27036 Contract Security Clauses in one governed evidence system

SSOT can take ISO 27036 Contract Security Clauses from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on ISO 27036 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Evidence system
Open SSOT for ISO 27036 Contract Security Clauses

Start from ISO 27036 Contract Security Clauses and keep documents, evidence, and control records in one governed system.

Explore next step
Talk to Sorena
Talk through ISO 27036

Review your current process, evidence gaps, and next steps for ISO 27036 Contract Security Clauses.

Explore next step
Section 2

Core agreement requirements (applies to most supplier relationships)

These clause categories align to the supplier relationship life cycle: selection, agreement, and management. They are designed to be enforceable and auditable.

If you adopt only a few clauses, start with: security responsibilities, incident notification, subcontractors, and audit/evidence model.

  • Scope and responsibilities: roles, boundaries, and supplier obligations for protecting acquirer information and systems
  • Information handling: data classification expectations, access controls, encryption expectations, retention, and secure deletion/return on termination
  • Incident notification: notification channels, maximum delay, required fields, and cooperation obligations
  • Change management: notification and approval requirements for material changes affecting security risk
  • Subcontractors/indirect suppliers: disclosure, approval model, flow-down obligations, and country/location constraints where relevant
  • Audit and assurance: audit rights model, transparency scope, independent assurance evidence, and audit safety limitations
Section 3

Hardware, software, and services supply chain clauses

Part 3 of the series is where product and software supply chain issues should be made explicit. If the supplier provides software, firmware, hardware components, managed platforms, or critical service dependencies, the agreement should cover origin, integrity, transition, maintenance, and disposal expectations.

This is also where software component transparency and secure update expectations belong if they materially affect the service risk profile.

  • Require supplier disclosure of critical dependencies and changes that materially affect supply chain risk
  • Require a secure development, update, and maintenance baseline where software or firmware is in scope
  • Define transition and disposal obligations so assets, components, and information are handled securely at exit
Section 4

Assurance evidence clauses (prove controls operate)

Supplier controls must be evidencable. Build a clause that requires a reusable evidence pack for procurement and audits.

Where invasive audits are risky or impractical, require independent evidence with sufficient transparency.

  • Evidence index: list required evidence artifacts and refresh cadence (e.g., annually + on material change)
  • Independent evidence: ISO 27001 certification scope, SOC reports, pen test summaries (where applicable)
  • Remediation: obligations to address findings with timelines and progress reporting
Section 5

Cloud services clauses (prevent responsibility gaps)

ISO/IEC 27036-1 notes cloud services can create unclear roles and responsibilities; ISO/IEC 27036-4 provides cloud-specific supplier guidance across the supplier relationship life cycle.

Treat cloud procurement like supply chain procurement: require explicit responsibility allocation and cloud-specific evidence.

  • Shared responsibility: define provider vs customer responsibilities for access, monitoring, backups, incident handling, and logging
  • Multi-tenancy and isolation: require isolation/segregation commitments and evidence of controls where relevant
  • Cross-border and jurisdiction: require disclosures of locations and constraints that affect compliance obligations
  • APIs and integrations: require security controls for interfaces and administrative access models
  • Transition and exit: require methods and acceptance criteria for moving customer assets to a different provider
Section 6

Clause-to-evidence mapping (what to retain internally)

A clause pack only works if procurement and security can enforce it. Keep these internal artifacts as part of your supplier assurance operating model.

Make it easy: one supplier record, one clause set, one evidence index.

  • Supplier tiering rationale + risk assessment summary
  • Signed contract clauses and negotiated deviations (exceptions register)
  • Evidence pack received + review notes + follow-up actions
  • Monitoring cadence records and remediation tracking
Primary sources

References and citations

Related guides

Explore more topics

ISO 27036 Compliance (Supplier Relationship Security Program)
A practical ISO/IEC 27036 compliance playbook for supplier relationship security: governance, lifecycle processes (planning, selection, agreement.
ISO 27036 FAQ (Supplier Security, Indirect Suppliers, Cloud Supply Chain)
ISO/IEC 27036 FAQ for third-party risk management (TPRM): which parts to use across 27036-1, 27036-2, 27036-3, and 27036-4, supplier relationship life cycle.
ISO 27036 Supplier Assurance Framework (Tiering, Evidence, Monitoring)
Build an ISO/IEC 27036-aligned supplier assurance framework: tier suppliers, define supplier selection criteria and agreement requirements.
ISO 27036 Third-Party Risk Checklist (Vendor Due Diligence + Monitoring)
An ISO/IEC 27036-aligned third-party risk checklist: supplier tiering, vendor due diligence, supplier selection criteria, contract security clauses.