--- title: "ISO/IEC 27036 Supplier Security FAQ" canonical_url: "https://www.sorena.io/artifacts/global/iso-27036/faq" source_url: "https://www.sorena.io/artifacts/global/iso-27036/faq/items/page/2" author: "Sorena AI" description: "ISO/IEC 27036 FAQ for ISO/IEC 27036 Supplier Relationship Security: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ISO/IEC 27036 FAQ" - "ISO/IEC 27036" - "ISO/IEC 27036 Supplier Relationship Security" - "ISO/IEC 27036 FAQ checklist" - "ISO/IEC 27036 FAQ evidence" - "ISO/IEC 27036 FAQ implementation" - "FAQ" - "global compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO/IEC 27036 Supplier Security FAQ ISO/IEC 27036 FAQ for ISO/IEC 27036 Supplier Relationship Security: practical decisions, evidence, owners, review cadence, and source-linked implementation guidance. *FAQ* *Global* *ISO/IEC 27036* ## ISO/IEC 27036 FAQ ISO/IEC 27036 FAQ should help teams make a decision, assign owners, and collect evidence under ISO/IEC 27036 Supplier Relationship Security. Grounded in external ISO, NIST, EU, or framework sources where relevant. Use it as practical implementation guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. This page defines implementation scope for ISO/IEC 27036: define relationship scope and ownership, collect contractual, technical, and monitoring evidence, and trigger reviews when risk, contract terms, or service use changes. ## Browse sub-FAQ modules ### [ISO/IEC 27036 Assurance Evidence FAQ](/artifacts/global/iso-27036/faq/assurance-evidence.md) How should teams handle Assurance Evidence under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27036 Cloud Suppliers FAQ](/artifacts/global/iso-27036/faq/cloud-suppliers.md) How should teams handle Cloud Suppliers under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27036 Contract Controls FAQ](/artifacts/global/iso-27036/faq/contract-controls.md) How should teams handle Contract Controls under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27036 Fourth Parties FAQ](/artifacts/global/iso-27036/faq/fourth-parties.md) How should teams manage fourth-party supplier risk under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27036 Risk Tiers FAQ](/artifacts/global/iso-27036/faq/risk-tiers.md) How should teams handle Risk Tiers under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27036 Supplier Incidents FAQ](/artifacts/global/iso-27036/faq/supplier-incidents.md) How should teams handle Supplier Incidents under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27036 Supplier Monitoring FAQ](/artifacts/global/iso-27036/faq/supplier-monitoring.md) How should teams handle Supplier Monitoring under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27036 Termination And Offboarding FAQ](/artifacts/global/iso-27036/faq/termination-and-offboarding.md) How should teams handle Termination And Offboarding under ISO/IEC 27036? Practical answer with owners, evidence, review triggers, and external source references. - 4 items Browse all indexed questions: [/artifacts/global/iso-27036/faq/items](/artifacts/global/iso-27036/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 12 of 32 items.* ### [How should teams handle Supplier Incidents under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/supplier-incidents.md#how-should-teams-handle-supplier-incidents-under-isoiec-27036) *Module: [ISO/IEC 27036 Supplier Incidents](/artifacts/global/iso-27036/faq/supplier-incidents.md)* In practical terms, a supplier incident is a problem or compromise connected to a supplier, its products or services, or its supply chain that can affect your organization. NIST SP 800-61r3 describes incidents as events that actually or imminently jeopardize confidentiality, integrity, or availability, and it includes compromise examples involving suppliers and vendors. - Name the accountable owner and reviewer for Supplier Incidents. - Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger. - Escalate when Supplier Incidents changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - ISO overview source for applying ISO/IEC 27036 supplier relationship security concepts to supplier incident ownership and escalation records. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. ### [What evidence should prove Supplier Incidents is current under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/supplier-incidents.md#what-evidence-should-prove-supplier-incidents-is-current-under-isoiec-27036) *Module: [ISO/IEC 27036 Supplier Incidents](/artifacts/global/iso-27036/faq/supplier-incidents.md)* The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence. - Use source records from the system of work, not screenshots created only for audit day. - Keep exceptions visible as risk acceptance, corrective action, or management-review input. - Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date. Sources for this answer: - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. - [ISO/IEC 27036-3:2023 standard page](https://www.iso.org/standard/82890.html?ref=sorena.io) - Primary ISO listing for hardware, software, and service supply-chain guidance. ### [Who should approve Supplier Incidents decisions under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/supplier-incidents.md#who-should-approve-supplier-incidents-decisions-under-isoiec-27036) *Module: [ISO/IEC 27036 Supplier Incidents](/artifacts/global/iso-27036/faq/supplier-incidents.md)* The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions. - Use a named owner, named backup, and named escalation forum. - Separate preparation work from risk acceptance and final approval. - Keep approval records with the evidence rather than in disconnected email threads. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. ### [When should Supplier Incidents be reviewed under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/supplier-incidents.md#when-should-supplier-incidents-be-reviewed-under-isoiec-27036) *Module: [ISO/IEC 27036 Supplier Incidents](/artifacts/global/iso-27036/faq/supplier-incidents.md)* Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes. - Set a planned review date and a change-trigger rule. - Use findings to update controls, procedures, contracts, risk registers, or training. - Carry unresolved items into management review or risk acceptance. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. ### [How should teams handle Supplier Monitoring under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/supplier-monitoring.md#how-should-teams-handle-supplier-monitoring-under-isoiec-27036) *Module: [ISO/IEC 27036 Supplier Monitoring](/artifacts/global/iso-27036/faq/supplier-monitoring.md)* Start with the operational decision: define what Supplier Monitoring means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current. - Name the accountable owner and reviewer for Supplier Monitoring. - Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger. - Escalate when Supplier Monitoring changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. ### [What evidence should prove Supplier Monitoring is current under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/supplier-monitoring.md#what-evidence-should-prove-supplier-monitoring-is-current-under-isoiec-27036) *Module: [ISO/IEC 27036 Supplier Monitoring](/artifacts/global/iso-27036/faq/supplier-monitoring.md)* The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence. - Use source records from the system of work, not screenshots created only for audit day. - Keep exceptions visible as risk acceptance, corrective action, or management-review input. - Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date. Sources for this answer: - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. - [ISO/IEC 27036-3:2023 standard page](https://www.iso.org/standard/82890.html?ref=sorena.io) - Primary ISO listing for hardware, software, and service supply-chain guidance. ### [Who should approve Supplier Monitoring decisions under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/supplier-monitoring.md#who-should-approve-supplier-monitoring-decisions-under-isoiec-27036) *Module: [ISO/IEC 27036 Supplier Monitoring](/artifacts/global/iso-27036/faq/supplier-monitoring.md)* The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions. - Use a named owner, named backup, and named escalation forum. - Separate preparation work from risk acceptance and final approval. - Keep approval records with the evidence rather than in disconnected email threads. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. ### [When should Supplier Monitoring be reviewed under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/supplier-monitoring.md#when-should-supplier-monitoring-be-reviewed-under-isoiec-27036) *Module: [ISO/IEC 27036 Supplier Monitoring](/artifacts/global/iso-27036/faq/supplier-monitoring.md)* Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes. - Set a planned review date and a change-trigger rule. - Use findings to update controls, procedures, contracts, risk registers, or training. - Carry unresolved items into management review or risk acceptance. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. ### [How should teams handle Termination And Offboarding under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/termination-and-offboarding.md#how-should-teams-handle-termination-and-offboarding-under-isoiec-27036) *Module: [ISO/IEC 27036 Termination And Offboarding](/artifacts/global/iso-27036/faq/termination-and-offboarding.md)* Start with the operational decision: define what Termination And Offboarding means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current. - Name the accountable owner and reviewer for Termination And Offboarding. - Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger. - Before closure, revoke accounts and access paths, collect badges, devices, keys, and other assets, and confirm what data must be returned, deleted, or retained. - Document contract closeout actions, including handoff of open work, final deliverables, and any residual support or transition obligations. - Escalate when Termination And Offboarding changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. - [NIST SP 800-53r5](https://doi.org/10.6028/NIST.SP.800-53r5?ref=sorena.io) - Supports practical offboarding steps such as account removal, termination coordination, and media sanitization. ### [What evidence should prove Termination And Offboarding is current under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/termination-and-offboarding.md#what-evidence-should-prove-termination-and-offboarding-is-current-under-isoiec-27036) *Module: [ISO/IEC 27036 Termination And Offboarding](/artifacts/global/iso-27036/faq/termination-and-offboarding.md)* The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence. - Use source records from the system of work, not screenshots created only for audit day. - Keep exceptions visible as risk acceptance, corrective action, or management-review input. - Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date. Sources for this answer: - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. - [ISO/IEC 27036-3:2023 standard page](https://www.iso.org/standard/82890.html?ref=sorena.io) - Primary ISO listing for hardware, software, and service supply-chain guidance. ### [Who should approve Termination And Offboarding decisions under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/termination-and-offboarding.md#who-should-approve-termination-and-offboarding-decisions-under-isoiec-27036) *Module: [ISO/IEC 27036 Termination And Offboarding](/artifacts/global/iso-27036/faq/termination-and-offboarding.md)* The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions. - Use a named owner, named backup, and named escalation forum. - Separate preparation work from risk acceptance and final approval. - Keep approval records with the evidence rather than in disconnected email threads. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. ### [When should Termination And Offboarding be reviewed under ISO/IEC 27036?](/artifacts/global/iso-27036/faq/termination-and-offboarding.md#when-should-termination-and-offboarding-be-reviewed-under-isoiec-27036) *Module: [ISO/IEC 27036 Termination And Offboarding](/artifacts/global/iso-27036/faq/termination-and-offboarding.md)* Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes. - Set a planned review date and a change-trigger rule. - Use findings to update controls, procedures, contracts, risk registers, or training. - Carry unresolved items into management review or risk acceptance. Sources for this answer: - [ISO/IEC 27036-1:2021 standard page](https://www.iso.org/standard/82905.html?ref=sorena.io) - Primary ISO listing for supplier relationship security overview and concepts. - [ISO/IEC 27036-2:2022 standard page](https://www.iso.org/standard/82060.html?ref=sorena.io) - Primary ISO listing for supplier and acquirer relationship requirements. ## FAQ Pagination - Canonical index (page 1): [/artifacts/global/iso-27036/faq/items](/artifacts/global/iso-27036/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/global/iso-27036/faq/items.md) | [2](/artifacts/global/iso-27036/faq/items/page/2.md) [Previous page](/artifacts/global/iso-27036/faq/items.md) *Recommended next step* *Placement: after implementation guidance* ## Operationalize ISO/IEC 27036 FAQ Capture owners, evidence, decisions, and review dates in one workflow record so supplier security controls and escalation points stay auditable over time. - [Open Assessment Autopilot for ISO/IEC 27036](/solutions/assessment.md): Convert ISO/IEC 27036 FAQ into accountable tasks, evidence requests, and review checkpoints. - [Talk through implementation](/contact.md): Review your current scope, evidence gaps, and next implementation steps. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-27036/faq/items/page/2