FAQGLOBAL

ISO 27036 FAQ

Quick answers to real supplier security and third-party risk questions.

Focused on ISO/IEC 27036 life cycle processes, contracts, evidence, monitoring, and cloud supply chains.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Questions

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

ISO/IEC 27036 covers cybersecurity in supplier relationships. The standard is practical when you treat supplier security as a lifecycle and require evidence that controls operate: plan, select suppliers, bind requirements into agreements, and run ongoing monitoring and enforcement with corrective actions. Use this FAQ to navigate the parts, avoid common misunderstandings, and decide what to implement first.

Question 1

What is ISO/IEC 27036, and who is it for?

ISO/IEC 27036 provides requirements and guidance for securing information and information systems in supplier relationships. It applies to both acquirers (customers) and suppliers, and it covers many supplier relationship types: products, services, ICT supply chains, and cloud computing.

If you run procurement, security, legal, vendor management, or an ISMS program, ISO 27036 gives you a lifecycle structure for third-party risk management (TPRM) that can scale beyond questionnaires.

Best for: organizations that need repeatable supplier selection, enforceable agreements, and ongoing monitoring
Works with: ISO 27001/27002 (ISO 27036 provides deeper supplier-relationship guidance)
Key theme: evidence-first assurance and compliance monitoring/enforcement

Question 2

Which part should I use: ISO 27036-1 vs ISO 27036-2 vs ISO 27036-3 vs ISO 27036-4?

Use ISO 27036-1 for overview and concepts. Use ISO 27036-2 for the normative requirements and lifecycle processes you can operationalize. Use ISO 27036-3 when you need deeper guidance for hardware, software, and services supply chain security. Use ISO 27036-4 when cloud services are in scope and you need supplier relationship guidance adapted to cloud service risks and cloud provider chains.

In practice: read Part 1 to align stakeholders, implement Part 2 as your operating model, and apply Part 3 or Part 4 where the supplier type requires deeper controls.

ISO 27036-1: concepts and problem framing (indirect suppliers, cloud risk, relationship types)
ISO 27036-2: requirements + supplier relationship life cycle processes (planning/selection/agreement/management)
ISO 27036-3: hardware, software, and services supply chain guidance, including deeper life cycle process coverage
ISO 27036-4: cloud services supplier relationship guidance (acquisition lifecycle, chain-of-providers)

Question 3

What does supplier relationship life cycle mean in ISO 27036-2?

ISO/IEC 27036-2 structures requirements using a supplier relationship life cycle: supplier relationship planning process, supplier selection process, supplier relationship agreement process, and supplier relationship management process.

This is valuable because it forces a repeatable flow across every supplier relationship instance and makes it easier to create audit-ready evidence.

Planning: define requirements framework and constraints per tier
Selection: perform due diligence and evidence-backed risk decision
Agreement: bind requirements into contract clauses + evidence cadence + enforcement
Management: monitor compliance, manage incidents/changes, and track corrective actions

Question 4

How should we handle indirect suppliers, subcontractors, and supply chain dependencies?

ISO 27036-1 highlights supply chain interdependencies: a direct supplier often relies on other suppliers. ISO 27036-3 goes further for hardware, software, and services chains where dependencies, originators, and life cycle controls can materially affect risk.

A practical approach is tier-based visibility and flow-down. You do not need full transparency for every subcontractor, but you do need it when the risk tier requires it.

Require disclosure of material subcontractors (who they are, what they do, and where they operate)
Define approval rules for new subcontractors and location/jurisdiction changes
Flow-down obligations: require equivalent security controls, evidence cadence, and incident/change notification downstream
Keep an exceptions register when full flow-down is not achievable and document compensating controls

Question 5

What should be in a compliance monitoring and enforcement plan?

ISO 27036-2 expects monitoring and enforcement during the supplier relationship execution period. The plan should define how you verify compliance, how you handle findings, and how you ensure corrective actions are closed.

A monitoring plan is most effective when it includes trend tracking and event-driven reassessments (not only annual refresh).

Monitoring cadence: tier-based periodic review + triggers on material change
Evidence model: required evidence, quality expectations, reviewer ownership, and storage/traceability
Corrective actions handling process: target dates, verification, closure criteria, and escalation thresholds
Termination path: when risks cannot be reduced to acceptable levels, exit/transition is a valid control

Question 6

How does ISO 27036 address cloud services and shared responsibility problems?

ISO 27036-1 notes cloud computing can create unclear roles and responsibilities. ISO/IEC 27036-4 provides guidance for information security in cloud services, including the idea that the same lifecycle steps should be repeated for each customer-provider link in a cloud supply chain.

Practically, you want explicit responsibility allocation (provider vs customer) and cloud-specific evidence for isolation, identity, monitoring, and location controls.

Define shared responsibility boundaries in the contract and in operating procedures
Require evidence for cloud-specific controls (identity, logging, isolation, region/jurisdiction transparency)
Treat cloud providers as part of a supply chain and apply flow-down requirements when they rely on other providers
Use event-driven reassessment: major architecture changes, region changes, provider changes, or certification loss

Question 7

How does ISO 27036 relate to ISO 27001 and ISO 27002?

Many organizations use ISO 27001/27002 as their baseline ISMS and controls library. ISO 27036 is complementary: it provides deeper, lifecycle-driven requirements and guidance specifically for supplier relationships, where ISO 27002 often provides more general recommendations.

If you are ISO 27001-audited, ISO 27036 helps you create supplier assurance artifacts that map cleanly to audit evidence expectations.

ISO 27001: ISMS requirements and audit context
ISO 27002: baseline supplier relationship controls
ISO 27036: lifecycle processes, agreement requirements, monitoring and enforcement, and cloud supply chain guidance

Recommended next step

Use ISO 27036 FAQ as a cited research workflow

Research Copilot can take ISO 27036 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ISO 27036 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow

Open Research Copilot for ISO 27036 FAQ

Start from ISO 27036 FAQ and answer scope, timing, and interpretation questions with cited outputs.

Explore next step

Talk to Sorena

Talk through ISO 27036

Review your current process, evidence gaps, and next steps for ISO 27036 FAQ.

Explore next step

Primary sources