ChecklistGLOBAL

ISO 27036 Third Party Risk Checklist

A procurement + security operations checklist you can run repeatedly across suppliers and vendors.

Aligned to ISO/IEC 27036-2 life cycle processes: planning, selection, agreement, and supplier relationship management.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

ISO/IEC 27036-2 structures supplier relationship security using a supplier relationship life cycle and expects compliance monitoring and enforcement with corrective actions. ISO/IEC 27036-3 adds deeper guidance for hardware, software, and services supply chain security, and ISO/IEC 27036-4 adds cloud service guidance. This checklist operationalizes those requirements as a repeatable third-party risk management flow across supplier onboarding, execution, change, and exit.

Section 1

How to use this ISO 27036 checklist (tiered, evidence-first)

Run this checklist per supplier relationship instance, not once per year as a generic questionnaire. The goal is to produce a traceable evidence pack: tiering rationale, due diligence outputs, agreement clauses and deviations, monitoring records, and corrective actions.

Apply depth based on tier. High-risk suppliers get deeper due diligence, stronger contract clauses, and tighter monitoring cadence.

Define owner per step: procurement owner, security reviewer, legal reviewer, service owner
Attach evidence to each checklist item and avoid unsupported yes-or-no answers
Document exceptions and compensating controls in an exceptions register

Recommended next step

Turn ISO 27036 Third Party Risk Checklist into an operational assessment

Assessment Autopilot can take ISO 27036 Third Party Risk Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on ISO 27036 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for ISO 27036 Third Party Risk Checklist

Start from ISO 27036 Third Party Risk Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through ISO 27036

Review your current process, evidence gaps, and next steps for ISO 27036 Third Party Risk Checklist.

Explore next step

Section 2

1) Supplier relationship planning checklist (define requirements before choosing vendors)

Planning prevents vendor lock-in to insecure choices. Define information security foundations, tiering criteria, and what an acceptable supplier looks like before you evaluate suppliers.

Planning outputs become inputs to selection, agreement, and monitoring.

Define scope: what product/service is procured, what data types are involved, what systems are touched, what connectivity exists
Tier the supplier relationship instance (criticality + access + data sensitivity + jurisdiction)
Define baseline requirements framework per tier (minimum controls and evidence expectations)
Define monitoring expectations upfront (cadence, triggers, and enforcement model)

Section 3

2) Supplier selection + due diligence checklist (evidence collection and risk decision)

Supplier selection should be criteria-driven and evidence-backed. Collect proof that the supplier can meet agreement requirements and support compliance monitoring and enforcement.

For higher tiers, include visibility into subcontractors and indirect suppliers when they materially affect risk.

Confirm governance: security ownership, escalation contacts, and incident response points of contact
Request assurance evidence: ISMS scope statements, independent assurance reports, control summaries tied to your requirements
Validate operational capabilities: vulnerability management, patching, secure update process, logging and monitoring, backup and restore testing
Assess supply chain: subcontractors, hosting providers, critical dependencies, and flow-down obligations
Software or component intensive suppliers: request dependency transparency, update process evidence, and transition or disposal controls where material
Cloud services: clarify shared responsibility (provider vs customer) and require cloud-specific evidence (isolation, identity, logging, region controls)

Section 4

3) Supplier agreement checklist (bind requirements into enforceable clauses)

ISO 27036-2 is often used as agreement requirements. The agreement should translate requirements into measurable obligations, acceptance criteria, evidence deliverables, and a compliance monitoring and enforcement plan.

Avoid ambiguity: define timelines, required fields, and what happens on non-compliance.

Contract clause set by tier: responsibilities, data handling, access controls, change management, incident notification, termination/exit
Subcontractors: disclosure and approval model, flow-down obligations, location/jurisdiction constraints where applicable
Monitoring and enforcement: audit model, evidence cadence, corrective actions process, and escalation thresholds
Change and incident procedures: notification windows, required fields, cooperation duties, and post-incident actions

Section 5

4) Onboarding + transition checklist (make controls real in operations)

After signature, onboarding is where most supplier security breaks. Operationalize the agreement: provision least privilege access, configure integrations securely, and validate controls before full go-live.

For complex services, require a transition plan and confirm unexpected-event handling during transition.

Access: least privilege roles, privileged access approval, and removal process
Security configuration baseline: logging, monitoring, encryption settings, and admin protections
Data flows: validate intended processing locations and storage/retention requirements
Transition plan: responsibilities, milestones, rollback, and communication paths for unexpected events
For product or software suppliers, confirm secure transition into operation and clear ownership of maintenance activities

Section 6

5) Ongoing monitoring + enforcement checklist (the audit-proof part)

ISO 27036-2 expects ongoing supplier relationship management: maintain information security, train impacted personnel, monitor and enforce compliance, and manage changes and incidents according to agreed procedures.

Treat monitoring as a calendarized program with trend tracking and remediation closure, not an inbox of ad-hoc requests.

Evidence refresh cadence: periodic review plus event-driven review on material change
Compliance monitoring records: who reviewed what, findings, corrective actions, and closure proof
Change monitoring: location changes, ownership changes, certification loss/achievement, business continuity capability changes
Incident handling: notifications, containment collaboration, post-mortems, and corrective actions tracking
Escalation and termination: when risk cannot be reduced to acceptable levels, activate the exit plan

Section 7

6) Offboarding + termination checklist (exit is a control)

Termination is a security control when risks cannot be reduced. Plan exit early for high-tier suppliers: data return/deletion, access removal, and continuity of critical services.

Keep evidence of termination actions and confirmations.

Access removal: disable accounts, revoke keys/tokens, rotate shared secrets
Data return/deletion: retention rules, deletion confirmations, backups handling, and residual data risks
Asset and documentation return: configurations, runbooks, logs per retention, and evidence index closure
Transition continuity: alternate supplier strategy and internal fallback plan
For hardware, software, or critical service suppliers, confirm disposal or decommissioning controls where assets or components remain in the environment

Primary sources