FrameworkGLOBAL

ISO 27036 Supplier Assurance Framework

A practical operating model for supplier tiering, due diligence, evidence, and ongoing monitoring.

For procurement, security, legal, and ISMS teams implementing ISO/IEC 27036 supplier relationship requirements at scale.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

ISO/IEC 27036-2 is the normative requirements part of ISO 27036. It structures supplier relationship security as lifecycle processes and expects compliance monitoring and enforcement with corrective actions. ISO/IEC 27036-3 adds deeper guidance for hardware, software, and services supply chain security, and ISO/IEC 27036-4 adds cloud service guidance. This page turns that series into a supplier assurance framework you can run repeatedly across vendors, subcontractors, and cloud providers.

Section 1

What ISO 27036 supplier assurance should achieve (outcomes, not checkboxes)

In ISO 27036 terms, supplier assurance is how you maintain information security during the execution period of the supplier relationship in accordance with the supplier relationship agreement - and how you prove it via evidence.

A high-performing supplier assurance framework connects four things: supplier tiering -> supplier selection criteria -> agreement requirements (contract clauses + evidence deliverables) -> monitoring and enforcement cadence.

Audit-ready by design: every obligation has acceptance criteria and evidence deliverables
Repeatable at scale: same process frame for every supplier, depth varies by tier
Enforceable in reality: monitoring plan + corrective actions workflow + termination path when risk is unacceptable

Recommended next step

Turn ISO 27036 Supplier Assurance Framework into an operational assessment

Assessment Autopilot can take ISO 27036 Supplier Assurance Framework from turning this guidance into a repeatable review process to a reusable workflow inside Sorena. Teams working on ISO 27036 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for ISO 27036 Supplier Assurance Framework

Start from ISO 27036 Supplier Assurance Framework and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through ISO 27036

Review your current process, evidence gaps, and next steps for ISO 27036 Supplier Assurance Framework.

Explore next step

Section 2

Step 1 - Tier suppliers (drive assurance depth with defensible risk criteria)

Start with a tiering model that procurement can apply consistently and security can defend. Tiering should reflect what the supplier touches (information, systems, connectivity) and how critical the supplier is for business continuity and mission delivery.

Use tiering to drive: due diligence depth, contract clause set, evidence cadence, and monitoring frequency.

Tier drivers: privileged access, network connectivity, regulated data, processing locations/jurisdiction, service criticality
Supplier types: products, services, ICT supply chain components, cloud services and SaaS
Visibility needs: indirect suppliers/subcontractors that become material to risk (flow-down obligations)

Section 3

Step 2 - Use ISO 27036-2 life cycle processes as your assurance backbone

ISO/IEC 27036-2 structures requirements using the supplier relationship life cycle: supplier relationship planning, supplier selection, supplier relationship agreement, and supplier relationship management. Build your framework so each stage has defined inputs, activities, outputs, and owners.

When auditors ask for the process, you can show the lifecycle and the evidence produced at each stage.

Planning: define security foundation, requirements framework, and constraints per tier
Selection: apply supplier selection criteria that includes security capabilities and commitment to compliance monitoring
Agreement: convert requirements into contract clauses, acceptance criteria, evidence deliverables, and enforcement plan
Management: monitor and enforce compliance, handle changes and incidents, track corrective actions to closure, and plan transition and disposal controls where needed

Section 4

Supply chain depth: when Part 3 needs to drive the assurance model

For software, hardware, and critical service suppliers, Part 3 makes the assurance model deeper than a standard vendor review. The framework should look at life cycle activities such as design, implementation, transition, operation, maintenance, and disposal where those phases materially affect the risk.

This is where software dependency transparency, secure update expectations, and supplier-of-supplier visibility usually become necessary.

Increase evidence depth for software intensive or component intensive suppliers
Ask for transition, maintenance, and disposal controls where product integrity or continuity matters
Tie assurance depth to the actual supply chain dependency, not only the contract value

Section 5

Step 3 - Build an evidence index (what evidence, what quality, what cadence)

Supplier assurance fails when evidence is undefined, stale, or not attributable to the supplier relationship. Build an evidence index that is explicit and reusable: supplier tier -> required evidence artifacts -> cadence -> reviewer -> escalation path.

Use multiple assurance channels. Certifications and third-party reports can be efficient, but you still need targeted evidence and change-driven refresh triggers.

Evidence quality: attributable (who/when), current (within cadence), traceable (maps to clause/control)
Cadence triggers: onboarding, periodic refresh (tier-based), and on material change (scope, location, ownership, certification loss)
Corrective actions handling process: findings -> owner -> target date -> verification -> closure
Exceptions register: negotiated deviations with approvals and compensating controls (kept current)

Section 6

Step 4 - Monitoring and enforcement (make compliance real)

ISO 27036-2 expects compliance monitoring and enforcement activities and ongoing management of changes and incidents in accordance with agreed procedures. A mature framework makes monitoring operational, not aspirational.

Define who monitors (acquirer team vs third party), what is reviewed, and how trends over time drive remediation and supplier decisions.

Compliance monitoring and enforcement plan: roles, scope, cadence, and escalation thresholds
Change monitoring: location changes, ownership changes, supplier ISMS changes, subcontractor changes, major architecture changes
Incident handling: notification windows, required fields, cooperation duties, and post-incident corrective actions
Termination decision: when risks cannot be reduced to an acceptable level, exit/transition is a valid control

Section 7

Indirect suppliers, subcontractors, and cloud supply chains (visibility + flow-down)

ISO 27036-1 highlights supply chain interdependencies and indirect suppliers. ISO/IEC 27036-4 extends supplier relationship security to cloud services, where roles can be unclear and the same lifecycle steps should be repeated for each customer-provider link in the chain.

Build a flow-down model that matches tier: require disclosure, approval, and evidence for material subcontractors, and require your supplier to enforce equivalent obligations downstream.

Disclosure: identify material subcontractors and what parts of the service they operate
Approval: define when acquirer approval is required (critical components, new regions, sensitive processing)
Flow-down: contractually require equivalent security obligations, monitoring support, and corrective actions downstream
Cloud specifics: shared responsibility boundaries, multi-tenancy isolation expectations, location and jurisdiction transparency, and third-party assurance where direct customer audit is limited

Primary sources