---
title: "ISO/IEC 27036 Supplier Security FAQ"
canonical_url: "https://www.sorena.io/artifacts/global/iso-27036/faq"
source_url: "https://www.sorena.io/artifacts/global/iso-27036/faq/items"
author: "Sorena AI"
description: "ISO/IEC 27036 FAQ for ISO/IEC 27036 Supplier Relationship Security: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ISO/IEC 27036 FAQ"
  - "ISO/IEC 27036"
  - "ISO/IEC 27036 Supplier Relationship Security"
  - "ISO/IEC 27036 FAQ checklist"
  - "ISO/IEC 27036 FAQ evidence"
  - "ISO/IEC 27036 FAQ implementation"
  - "FAQ"
  - "global compliance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ISO/IEC 27036 Supplier Security FAQ

ISO/IEC 27036 FAQ for ISO/IEC 27036 Supplier Relationship Security: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance.

*FAQ* *Global* *ISO/IEC 27036*

## ISO/IEC 27036 FAQ

ISO/IEC 27036 FAQ should help teams make a decision, assign owners, and collect evidence under ISO/IEC 27036 Supplier Relationship Security.

Grounded in external ISO, NIST, EU, or framework sources where relevant. Use it as practical implementation guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

This page defines implementation scope for ISO/IEC 27036: define relationship scope and ownership, collect contractual, technical, and monitoring evidence, and trigger reviews when risk, contract terms, or service use changes.

## Browse sub-FAQ modules

### [ISO/IEC 27036 Assurance Evidence FAQ](/artifacts/global/iso-27036/faq/assurance-evidence.md)

How should teams handle Assurance Evidence under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27036 Cloud Suppliers FAQ](/artifacts/global/iso-27036/faq/cloud-suppliers.md)

How should teams handle Cloud Suppliers under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27036 Contract Controls FAQ](/artifacts/global/iso-27036/faq/contract-controls.md)

How should teams handle Contract Controls under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27036 Fourth Parties FAQ](/artifacts/global/iso-27036/faq/fourth-parties.md)

How should teams manage fourth-party supplier risk under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27036 Risk Tiers FAQ](/artifacts/global/iso-27036/faq/risk-tiers.md)

How should teams handle Risk Tiers under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27036 Supplier Incidents FAQ](/artifacts/global/iso-27036/faq/supplier-incidents.md)

How should teams handle Supplier Incidents under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27036 Supplier Monitoring FAQ](/artifacts/global/iso-27036/faq/supplier-monitoring.md)

How should teams handle Supplier Monitoring under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

### [ISO/IEC 27036 Termination And Offboarding FAQ](/artifacts/global/iso-27036/faq/termination-and-offboarding.md)

How should teams handle Termination And Offboarding under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references.

- 4 items

Browse all indexed questions: [/artifacts/global/iso-27036/faq/items](/artifacts/global/iso-27036/faq/items.md)

## All FAQ items

*Page 1 of 2. Showing 20 of 32 items.*

### [How should teams handle Assurance Evidence under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/assurance-evidence.md#how-should-teams-handle-assurance-evidence-under-isoiec-27036)

*Module: [ISO/IEC 27036 Assurance Evidence](/artifacts/global/iso-27036/faq/assurance-evidence.md)*

Start with the operational decision: define what Assurance Evidence means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current.

- Name the accountable owner and reviewer for Assurance Evidence.
- Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
- Escalate when Assurance Evidence changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing that frames assurance evidence as part of supplier relationship security overview, concepts, and reviewable implementation records.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements that supports evidence for implementation, monitoring, review, and improvement.

### [What evidence should prove Assurance Evidence is current under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/assurance-evidence.md#what-evidence-should-prove-assurance-evidence-is-current-under-isoiec-27036)

*Module: [ISO/IEC 27036 Assurance Evidence](/artifacts/global/iso-27036/faq/assurance-evidence.md)*

The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence.

- Use source records from the system of work, not screenshots created only for audit day.
- Keep exceptions visible as risk acceptance, corrective action, or management-review input.
- Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.

Sources for this answer:

- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements that supports evidence for implementation, monitoring, review, and improvement.
- [ISO/IEC 27036-3:2023 standard page](https://www.iso.org/standard/82890.html?ref=sorena.io) - Primary ISO listing for hardware, software, and service supply-chain guidance that supports supply-chain assurance evidence and review records.

### [Who should approve Assurance Evidence decisions under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/assurance-evidence.md#who-should-approve-assurance-evidence-decisions-under-isoiec-27036)

*Module: [ISO/IEC 27036 Assurance Evidence](/artifacts/global/iso-27036/faq/assurance-evidence.md)*

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

- Use a named owner, named backup, and named escalation forum.
- Separate preparation work from risk acceptance and final approval.
- Keep approval records with the evidence rather than in disconnected email threads.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing that frames assurance evidence as part of supplier relationship security overview, concepts, and reviewable implementation records.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements that supports evidence for implementation, monitoring, review, and improvement.

### [When should Assurance Evidence be reviewed under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/assurance-evidence.md#when-should-assurance-evidence-be-reviewed-under-isoiec-27036)

*Module: [ISO/IEC 27036 Assurance Evidence](/artifacts/global/iso-27036/faq/assurance-evidence.md)*

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

- Set a planned review date and a change-trigger rule.
- Use findings to update controls, procedures, contracts, risk registers, or training.
- Carry unresolved items into management review or risk acceptance.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing that frames assurance evidence as part of supplier relationship security overview, concepts, and reviewable implementation records.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements that supports evidence for implementation, monitoring, review, and improvement.

### [How should teams handle Cloud Suppliers under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/cloud-suppliers.md#how-should-teams-handle-cloud-suppliers-under-isoiec-27036)

*Module: [ISO/IEC 27036 Cloud Suppliers](/artifacts/global/iso-27036/faq/cloud-suppliers.md)*

Start with the operational decision: define what Cloud Suppliers means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current.

- Name the accountable owner and reviewer for Cloud Suppliers.
- Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
- Escalate when Cloud Suppliers changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [What evidence should prove Cloud Suppliers is current under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/cloud-suppliers.md#what-evidence-should-prove-cloud-suppliers-is-current-under-isoiec-27036)

*Module: [ISO/IEC 27036 Cloud Suppliers](/artifacts/global/iso-27036/faq/cloud-suppliers.md)*

The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence.

- Use source records from the system of work, not screenshots created only for audit day.
- Keep exceptions visible as risk acceptance, corrective action, or management-review input.
- Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.

Sources for this answer:

- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.
- [ISO/IEC 27036-3:2023 standard page](https://www.iso.org/standard/82890.html?ref=sorena.io) - Primary ISO listing for hardware, software, and service supply-chain guidance.

### [Who should approve Cloud Suppliers decisions under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/cloud-suppliers.md#who-should-approve-cloud-suppliers-decisions-under-isoiec-27036)

*Module: [ISO/IEC 27036 Cloud Suppliers](/artifacts/global/iso-27036/faq/cloud-suppliers.md)*

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

- Use a named owner, named backup, and named escalation forum.
- Separate preparation work from risk acceptance and final approval.
- Keep approval records with the evidence rather than in disconnected email threads.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [When should Cloud Suppliers be reviewed under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/cloud-suppliers.md#when-should-cloud-suppliers-be-reviewed-under-isoiec-27036)

*Module: [ISO/IEC 27036 Cloud Suppliers](/artifacts/global/iso-27036/faq/cloud-suppliers.md)*

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

- Set a planned review date and a change-trigger rule.
- Use findings to update controls, procedures, contracts, risk registers, or training.
- Carry unresolved items into management review or risk acceptance.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [How should teams handle Contract Controls under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/contract-controls.md#how-should-teams-handle-contract-controls-under-isoiec-27036)

*Module: [ISO/IEC 27036 Contract Controls](/artifacts/global/iso-27036/faq/contract-controls.md)*

Start with the operational decision: define what Contract Controls means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current.

- Name the accountable owner and reviewer for Contract Controls.
- Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
- Escalate when Contract Controls changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - ISO/IEC 27036-1 supports the contract-controls FAQ by framing supplier relationship security concepts used to structure contract ownership, evidence, and review records.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [What evidence should prove Contract Controls is current under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/contract-controls.md#what-evidence-should-prove-contract-controls-is-current-under-isoiec-27036)

*Module: [ISO/IEC 27036 Contract Controls](/artifacts/global/iso-27036/faq/contract-controls.md)*

The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence.

- Use source records from the system of work, not screenshots created only for audit day.
- Keep exceptions visible as risk acceptance, corrective action, or management-review input.
- Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.

Sources for this answer:

- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.
- [ISO/IEC 27036-3:2023 standard page](https://www.iso.org/standard/82890.html?ref=sorena.io) - Primary ISO listing for hardware, software, and service supply-chain guidance.

### [Who should approve Contract Controls decisions under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/contract-controls.md#who-should-approve-contract-controls-decisions-under-isoiec-27036)

*Module: [ISO/IEC 27036 Contract Controls](/artifacts/global/iso-27036/faq/contract-controls.md)*

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

- Use a named owner, named backup, and named escalation forum.
- Separate preparation work from risk acceptance and final approval.
- Keep approval records with the evidence rather than in disconnected email threads.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - ISO/IEC 27036-1 supports the contract-controls FAQ by framing supplier relationship security concepts used to structure contract ownership, evidence, and review records.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [When should Contract Controls be reviewed under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/contract-controls.md#when-should-contract-controls-be-reviewed-under-isoiec-27036)

*Module: [ISO/IEC 27036 Contract Controls](/artifacts/global/iso-27036/faq/contract-controls.md)*

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

- Set a planned review date and a change-trigger rule.
- Use findings to update controls, procedures, contracts, risk registers, or training.
- Carry unresolved items into management review or risk acceptance.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - ISO/IEC 27036-1 supports the contract-controls FAQ by framing supplier relationship security concepts used to structure contract ownership, evidence, and review records.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [How should teams manage Fourth Parties under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/fourth-parties.md#how-should-teams-manage-fourth-parties-under-isoiec-27036)

*Module: [ISO/IEC 27036 Fourth Parties](/artifacts/global/iso-27036/faq/fourth-parties.md)*

Start with the operational decision: define what Fourth Parties means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current.

- Name the accountable owner and reviewer for Fourth Parties.
- Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
- Escalate when Fourth Parties changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [What evidence should prove Fourth Parties is current under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/fourth-parties.md#what-evidence-should-prove-fourth-parties-is-current-under-isoiec-27036)

*Module: [ISO/IEC 27036 Fourth Parties](/artifacts/global/iso-27036/faq/fourth-parties.md)*

The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence.

- Use source records from the system of work, not screenshots created only for audit day.
- Keep exceptions visible as risk acceptance, corrective action, or management-review input.
- Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.

Sources for this answer:

- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.
- [ISO/IEC 27036-3:2023 standard page](https://www.iso.org/standard/82890.html?ref=sorena.io) - Primary ISO listing for hardware, software, and service supply-chain guidance.

### [How do Fourth Parties differ from suppliers in ISO/IEC 27036?](/artifacts/global/iso-27036/faq/fourth-parties.md#how-do-fourth-parties-differ-from-suppliers-in-isoiec-27036)

*Module: [ISO/IEC 27036 Fourth Parties](/artifacts/global/iso-27036/faq/fourth-parties.md)*

In this context, suppliers are the direct parties you acquire from, while fourth parties are the downstream suppliers and supply chains behind those suppliers. NIST SP 800-161 describes cybersecurity risks throughout the supply chain as arising from suppliers, their supply chains, and their products or services, and it also notes that supplier contracts should flow down to sub-tier contractors.

- Treat direct suppliers and downstream sub-tier providers as separate risk layers.
- Capture whether visibility extends to fourth-party products, services, and controls.
- Require flow-down controls where the contract or service model depends on sub-tier work.

Sources for this answer:

- [NIST SP 800-161r1-upd1](https://doi.org/10.6028/NIST.SP.800-161r1-upd1?ref=sorena.io) - Explains that cybersecurity risks throughout the supply chain arise from suppliers, their supply chains, and their products or services, and discusses flow-down controls to sub-tier contractors.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [When should Fourth Parties be reviewed under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/fourth-parties.md#when-should-fourth-parties-be-reviewed-under-isoiec-27036)

*Module: [ISO/IEC 27036 Fourth Parties](/artifacts/global/iso-27036/faq/fourth-parties.md)*

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

- Set a planned review date and a change-trigger rule.
- Use findings to update controls, procedures, contracts, risk registers, or training.
- Carry unresolved items into management review or risk acceptance.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [How should teams handle Risk Tiers under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/risk-tiers.md#how-should-teams-handle-risk-tiers-under-isoiec-27036)

*Module: [ISO/IEC 27036 Risk Tiers](/artifacts/global/iso-27036/faq/risk-tiers.md)*

Start with the operational decision: define what Risk Tiers means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current. Under NIST SP 800-30, risk is typically a function of likelihood and impact, so a practical tiering model should sort suppliers, services, or scenarios by those two factors and by the business context that makes them more or less important.

- Name the accountable owner and reviewer for Risk Tiers.
- Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
- Escalate when Risk Tiers changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Supports the Risk Tiers guidance by framing ISO/IEC 27036 supplier-relationship security concepts used to classify supplier risk and governance depth.
- [NIST Special Publication 800-30](https://csrc.nist.gov/publications/detail/sp/800-30?ref=sorena.io) - Grounds the practical distinction between tiers in likelihood and impact, and in repeated review as risk conditions change.

### [What evidence should prove Risk Tiers is current under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/risk-tiers.md#what-evidence-should-prove-risk-tiers-is-current-under-isoiec-27036)

*Module: [ISO/IEC 27036 Risk Tiers](/artifacts/global/iso-27036/faq/risk-tiers.md)*

The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence.

- Use source records from the system of work, not screenshots created only for audit day.
- Keep exceptions visible as risk acceptance, corrective action, or management-review input.
- Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.

Sources for this answer:

- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.
- [ISO/IEC 27036-3:2023 standard page](https://www.iso.org/standard/82890.html?ref=sorena.io) - Primary ISO listing for hardware, software, and service supply-chain guidance.

### [Who should approve Risk Tiers decisions under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/risk-tiers.md#who-should-approve-risk-tiers-decisions-under-isoiec-27036)

*Module: [ISO/IEC 27036 Risk Tiers](/artifacts/global/iso-27036/faq/risk-tiers.md)*

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

- Use a named owner, named backup, and named escalation forum.
- Separate preparation work from risk acceptance and final approval.
- Keep approval records with the evidence rather than in disconnected email threads.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Supports the Risk Tiers guidance by framing ISO/IEC 27036 supplier-relationship security concepts used to classify supplier risk and governance depth.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

### [When should Risk Tiers be reviewed under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/risk-tiers.md#when-should-risk-tiers-be-reviewed-under-isoiec-27036)

*Module: [ISO/IEC 27036 Risk Tiers](/artifacts/global/iso-27036/faq/risk-tiers.md)*

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

- Set a planned review date and a change-trigger rule.
- Use findings to update controls, procedures, contracts, risk registers, or training.
- Carry unresolved items into management review or risk acceptance.

Sources for this answer:

- [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Supports the Risk Tiers guidance by framing ISO/IEC 27036 supplier-relationship security concepts used to classify supplier risk and governance depth.
- [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements.

## FAQ Pagination

- Canonical index (page 1): [/artifacts/global/iso-27036/faq/items](/artifacts/global/iso-27036/faq/items.md)
- Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL.
- Current page: 1 of 2

Pages: [1](/artifacts/global/iso-27036/faq/items.md) | [2](/artifacts/global/iso-27036/faq/items/page/2.md)

[Next page](/artifacts/global/iso-27036/faq/items/page/2.md)

*Recommended next step*

*Placement: after implementation guidance*

## Operationalize ISO/IEC 27036 FAQ

Capture owners, evidence, decisions, and review dates in one workflow record so supplier security controls and escalation points stay auditable over time.

- [Open Assessment Autopilot for ISO/IEC 27036](/solutions/assessment.md): Convert ISO/IEC 27036 FAQ into accountable tasks, evidence requests, and review checkpoints.
- [Talk through implementation](/contact.md): Review your current scope, evidence gaps, and next implementation steps.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/iso-27036/faq/items