BS ISO IEC 27036-3-2013 Information technology Security techniques Information security for supplier relationships Guidelines for information and communication technology supply ch.pdf
《BS ISO IEC 27036-3-2013 Information technology Security techniques Information security for supplier relationships Guidelines for information and communication technology supply ch.pdf》由会员分享,可在线阅读,更多相关《BS ISO IEC 27036-3-2013 Information technology Security techniques Information security for supplier relationships Guidelines for information and communication technology supply ch.pdf(48页珍藏版)》请在麦多课文档分享上搜索。
1、BSI Standards PublicationBS ISO/IEC 27036-3:2013Information technology Security techniques Information security forsupplier relationshipsPart 3: Guidelines for information andcommunication technology supply chainsecurityBS ISO/IEC 27036-3:2013 BRITISH STANDARDNational forewordThis British Standard i
2、s the UK implementation of ISO/IEC27036-3:2013.The UK participation in its preparation was entrusted to TechnicalCommittee IST/33, IT - Security techniques.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include al
3、l the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2013. Published by BSI StandardsLimited 2013ISBN 978 0 580 76090 7ICS 35.040Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standa
4、rd was published under the authority of theStandards Policy and Strategy Committee on 30 November 2013.Amendments issued since publicationDate Text affectedBS ISO/IEC 27036-3:2013Information technology Security techniques Information security for supplier relationships Part 3: Guidelines for informa
5、tion and communication technology supply chain securityTechnologies de linformation Techniques de scurit Scurit dinformation pour la relation avec le fournisseur Partie 3: Lignes directrices pour la scurit de la chane de fourniture des technologies de la communication et de linformation ISO/IEC 2013
6、INTERNATIONAL STANDARDISO/IEC27036-3First edition2013-11-15Reference numberISO/IEC 27036-3:2013(E)BS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E)ii ISO/IEC 2013 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2013All rights reserved. Unless otherwise specified, no part of this publication may
7、 be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the
8、requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandBS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E) ISO/IEC 2013 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 1
9、2 Normative references 13 Terms and definitions . 14 Structure of this standard . 25 Key concepts . 25.1 Business case for ICT supply chain security 25.2 ICT supply chain risks and associated threats . 35.3 Acquirer and supplier relationship types 35.4 Organizational capability . 45.5 System lifecyc
10、le processes 45.6 ISMS processes in relation to system lifecycle processes 55.7 ISMS information security controls in relation to ICT supply chain security . 55.8 Essential ICT supply chain security practices 56 ICT supply chain security in Lifecycle Processes 76.1 Agreement Processes 76.2 Organizat
11、ional Project-Enabling Processes 106.3 Project Processes . 136.4 Technical Processes . 15Annex A (informative) Summary of Supply and Acquisition Processes from ISO/IEC 15288 and ISO/IEC 12207 24Annex B (informative) Clause 6 mapping to ISO/IEC 27002 .35Bibliography .37BS ISO/IEC 27036-3:2013ISO/IEC
12、27036-3:2013(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards
13、through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC,
14、also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to pr
15、epare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility
16、that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27036-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security tec
17、hniques.ISO/IEC 27036 consists of the following parts, under the general title Information technology Security techniques Information security for supplier relationships: Part 1: Overview and concepts Part 2: Requirements Part 3: Guidelines for information and communication technology supply chain s
18、ecurityThe following part is under preparation: Part 4: Guidelines for security of cloud services.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 27036-3:2013ISO/IEC 27036-3:2013(E)IntroductionInformation and Communication Technology (ICT) products and services are developed, integrated, and delivered
19、 globally through deep and physically dispersed supply chains. ICT products are assembled from many components provided by many suppliers. ICT services throughout the entire supplier relationship are also delivered through multiple tiers of outsourcing and supply chaining. Acquirers do not have visi
20、bility into the practices of hardware, software, and service providers beyond first or possibly second link of the supply chain. With the substantial increase in the number of organizations and people who “touch” an ICT product or service, the visibility into the practices by which these products an
21、d services are put together has decreased dramatically. This lack of visibility, transparency, and traceability into the ICT supply chain poses risks to acquiring organizations.This standard provides guidance to ICT product and service acquirers and suppliers to reduce or manage information security
22、 risk. This standard identifies the business case for ICT supply chain security, specific risks and relationship types as well as how to develop an organizational capability to manage information security aspects and incorporate a lifecycle approach to manage risks supported by specific controls and
23、 practices. Its application is expected to result in: Increased ICT supply chain visibility and traceability to enhance information security capability; Increased understanding by the acquirers of where their products or services are coming from, and of the practices used to develop, integrate, or o
24、perate these products or services, to enhance the implementation of information security requirements; In case of an information security compromise, the availability of information about what may have been compromised and who the involved actors may be.This international standard is intended to be
- 1.请仔细阅读文档,确保文档完整性,对于不预览、不比对内容而直接下载带来的问题本站不予受理。
- 2.下载的文档,不会出现我们的网址水印。
- 3、该文档所得收入(下载+内容+预览)归上传者、原创作者;如果您是本文档原作者,请点此认领!既往收益都归您。
下载文档到电脑,查找使用更方便
10000 积分 0人已下载
下载 | 加入VIP,交流精品资源 |
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- BSISOIEC2703632013INFORMATIONTECHNOLOGYSECURITYTECHNIQUESINFORMATIONSECURITYFORSUPPLIERRELATIONSHIPSGUIDELINESFORINFORMATIONANDCOMMUNICATIONTECHNOLOGYSUPPLYCHPDF

链接地址:http://www.mydoc123.com/p-588454.html