ISO/IEC 27036 FAQ Supplier Incidents

In practical terms, a supplier incident is a problem or compromise connected to a supplier, its products or services, or its supply chain that can affect your organization. NIST SP 800-61r3 describes incidents as events that actually or imminently jeopardize confidentiality, integrity, or availability, and it includes compromise examples involving suppliers and vendors.

Start with the operational decision: define what Supplier Incidents means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current. For incident work, decide the timer and escalation path before an event occurs: classification, severity, legal-notification review, containment owner, communications owner, recovery owner, and evidence custodian. This keeps the answer useful in audits, customer reviews, incidents, supplier reviews, and management review.

The evidence should show the process operating. For this artifact, the strongest record usually includes supplier tiering, due diligence, contract clauses, assurance reviews, fourth-party visibility, incident handoffs, monitoring records, and offboarding evidence.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.