ISO/IEC 27036
supplier-relationship security lifecycle

ISO/IEC 27036 explained for enterprise teams

ISO/IEC 27036 (Cybersecurity for supplier relationships) is the international standard for information security in supplier relationships. It is the operating reference programmes reach for when they need to evidence supplier-side security across the supplier-relationship lifecycle: planning, supplier selection, agreement establishment, agreement management, agreement termination, and post-agreement disposal. The standard is published in four parts across IEC, ISO, and the related ITU-T technical guidance, and reads alongside ISO/IEC 27001 Annex A 5.19 to 5.23 (information security in supplier relationships) as the deeper implementation companion.

For internal security teams, GRC and compliance teams, vendor risk leads, AppSec teams managing third-party components, cloud security teams managing SaaS and IaaS providers, procurement teams running supplier onboarding, legal teams negotiating contract clauses, and CISOs accountable for supply-chain risk, ISO/IEC 27036 is the standard the supplier programme reads against globally. The framework is dense; the value is the lifecycle discipline that turns supplier security from a one-off due-diligence step into a continuous operating record.

This page covers the four parts of the standard, the six lifecycle phases, the supplier categorisation patterns, the minimum agreement clause set, the acquirer-side evidence pack, the operating cadence, the failure modes that erode the supplier programme, and where ISO/IEC 27036 sits alongside NIST SP 800-161r1, DORA Article 28, NIS2 Article 21(2)(d), the EU Cyber Resilience Act, and CSA STAR. Programmes that adopt ISO/IEC 27036 as the supplier-relationship operating standard read cleanly into every adjacent regime without rebuilding the evidence pack per audit.

The four parts of ISO/IEC 27036

ISO/IEC 27036 is published in four parts. Only Part 2 is normative; the other three are guidance that explains how to operate Part 2 in context. The structure lets a programme certify or declare conformity against Part 2 while reading Parts 1, 3, and 4 as the implementation companion for orientation, ICT supply chain, and cloud-service relationships respectively.

The six lifecycle phases

ISO/IEC 27036 is a lifecycle standard. The requirements in Part 2 are organised by the phases the supplier relationship moves through over time. The phases below are the spine the operating record reads against. Programmes that operate the lifecycle as one continuous record (rather than six separate projects) carry the supplier programme cleanly through renewal cycles, audit cycles, and regulator cycles.

1. 1

   Planning

   Define the requirement the supplier will satisfy, the information security risks the relationship will carry, the supplier categorisation (commodity vs strategic, low-risk vs high-risk, single-source vs multi-source), the assessment depth required per category, and the contract templates the relationship will be governed under. Planning is the cheapest phase to invest in and the most expensive to skip: gaps named here propagate through every later phase.

2. 2

   Supplier selection

   Run the supplier security due diligence appropriate to the category named at planning. The due-diligence pack typically includes the supplier questionnaire (SIG, CAIQ, or programme-specific), the published assurance evidence (ISO/IEC 27001 certificate, SOC 2 Type II report, STAR Registry entry, FedRAMP authorisation), the technical and process maturity assessment, the financial stability check, the geographic and regulatory exposure check, and the reference check. The selection record documents the rationale and the residual concerns.

3. 3

   Agreement establishment

   Convert the security requirements into binding contract clauses. The minimum clause set covers data handling and classification, sub-processor management with prior approval where applicable, security controls expectation by reference to the wider regime (ISO/IEC 27001 Annex A 5.19 to 5.23, NIST SP 800-53 SR family, CSA CCM where cloud), audit and assurance rights, vulnerability and incident notification timing (often 24 to 72 hours), data return and destruction at termination, business continuity and disaster recovery expectations, personnel security, encryption-at-rest and in-transit, and the indemnities and limitations that anchor the commercial side. Agreement establishment is when ISO/IEC 27036-2 Part 2 requirements become legally binding.

4. 4

   Agreement management

   Operate the relationship after signature. Agreement management is the longest phase by far. It covers the periodic supplier assessment cadence (annual for high-risk, biennial for medium-risk, on-event-or-renewal for low-risk), the supplier KPI tracking, the incident-notification handling, the vulnerability-notification handling, the change-management coordination (supplier-side changes that affect the acquirer-side risk position), the sub-processor change handling, the assurance-evidence refresh tracking, the contract amendment cycle, and the renewal decision lead-time. Most ISO/IEC 27036 evidence the auditor reads sits in agreement management.

5. 5

   Agreement termination

   Wind down the relationship in line with the termination clauses. Termination is where the agreement-management discipline either pays back or shows the gap: data return on documented timelines, data destruction with attestation, sub-processor termination cascade, access revocation, transition-out support, knowledge transfer, asset return, and final assurance evidence. Programmes that treat termination as an afterthought rebuild this section under pressure on every relationship that ends.

6. 6

   Post-agreement disposal

   Confirm that the disposal expectations from termination were met, retain the residual evidence the auditor will read (the destruction attestation, the final assurance evidence, the closure record), and feed the supplier-experience lessons back into the planning artefacts for future relationships. Post-agreement disposal is the closing-out artefact ISO/IEC 27036 expects to exist. It also feeds the supplier-relationship maturity loop programmes use to improve subsequent contracts.

Supplier categorisation patterns

ISO/IEC 27036 expects the supplier set to be categorised so the assessment cadence, the contract templates, and the operating intensity match the risk per relationship. The categorisation patterns below are the dimensions the standard names and that mature programmes typically combine into a per-supplier category that the operating cycle reads against. Single-dimension categorisation under-weights the relationships that look low risk on one axis and high risk on another.

The minimum agreement clause set

ISO/IEC 27036-2 expects the security expectations to land in the contract. The minimum clause set below covers the requirements Part 2 reads against and the related downstream obligations the acquirer needs to meet (regulator notification clocks, audit-evidence retention, sub-processor handling, termination assistance). Programmes drafting supplier contracts use this set as the structural minimum and tailor the depth per supplier category.

The acquirer-side evidence pack

The minimum durable evidence pack the auditor, the regulator, and the audit committee each read against the supplier programme is grouped below by artefact type rather than by audit question. Each artefact carries a named owner, a refresh cadence, and a version history so reconstruction at audit time is replaced with a continuous operating trail. ISO/IEC 27036 does not invent these artefacts; it names what the supplier-relationship operating record needs to contain to satisfy the requirements in Part 2.

A practical operating cadence

The cadence below is the operating rhythm most ISO/IEC 27036 programmes settle into when they treat supplier security as continuous work rather than a contracting moment. The per-quarter rhythm reads against the calendar; the on-event work reads against the operational triggers; the on-termination work reads against the contract lifecycle. The cycle compounds: each year inherits evidence from the prior year, so the supplier programme becomes the durable record audits and regulators read against rather than a separate audit preparation project.

Failure modes the standard is designed to surface

ISO/IEC 27036 is forgiving on the choice of tooling, the contract templates, and the depth of assessment per supplier. It is unforgiving about a small number of patterns that turn the supplier programme cosmetic rather than operational. The patterns below recur across supplier-relationship security programmes and are the ones that erode the year-over-year continuity that audits, regulators, and audit committees increasingly read against.

How ISO/IEC 27036 relates to adjacent regimes

ISO/IEC 27036 sits in a busy regulatory and standards neighbourhood. The relationships below are the ones programmes encounter most often when they read the standard against the rest of the supplier-security regime. Programmes operating across regions and sectors use ISO/IEC 27036 as the operating spine and read NIST 800-161r1, DORA, NIS2, CRA, SOC 2 CC9.2, HIPAA BAA, CSA STAR, and ISO/IEC 27017 as the framework-specific reads beneath.

Where ISO/IEC 27036 sits next to other framework pages

ISO/IEC 27036 is the supplier-relationship operating standard; the adjacent framework pages cover the regimes the supplier programme reads alongside. The pages below are the ones supplier-security programmes most often read together.

• The ISO/IEC 27001 framework page covers the certifiable ISMS standard. Annex A 5.19 to 5.23 are the supplier-relationship controls; ISO/IEC 27036 is the deeper implementation companion that explains how to operate those controls.
• The NIST SP 800-161 framework page covers the federal C-SCRM strategy and the SR control family in NIST SP 800-53 Rev. 5. Programmes operating against both regimes use 800-161r1 as the strategy spine and ISO/IEC 27036 as the supplier-relationship companion.
• The DORA framework page covers the EU Digital Operational Resilience Act for financial entities. Article 28 imposes detailed third-party ICT risk obligations that read against the same supplier inventory, contract pack, and operating cadence ISO/IEC 27036 expects.
• The NIS2 framework page covers the EU directive on cybersecurity for essential and important entities. Article 21(2)(d) requires supply chain security management that ISO/IEC 27036 supplies the operating standard for.
• The EU Cyber Resilience Act framework page covers the product-side supply-chain obligations for products with digital elements placed on the EU market. ISO/IEC 27036 is the acquirer-side supplier-relationship discipline manufacturers flow CRA obligations down through.
• The CSA STAR framework page covers the cloud-provider assurance regime. Part 4 of ISO/IEC 27036 is the cloud-service relationship discipline; STAR Registry entries are one input the acquirer reads against the supplier assurance posture per cloud provider.
• The ISO/IEC 27017 framework page covers the cloud-security control extension to ISO/IEC 27002. Cloud-heavy supplier programmes read 27036-4, STAR, and 27017 together to cover the cloud-relationship, provider-assurance, and cloud-control evidence layers.
• The SOC 2 framework page covers the AICPA Trust Services Criteria. CC9.2 (vendor and business partner risk) reads against the same supplier inventory, assessment cadence, and termination evidence ISO/IEC 27036 expects.
• The HIPAA framework page covers the US healthcare regime. Business Associate Agreements are the legal artefact; ISO/IEC 27036 reads beneath as the operating standard for the BAA programme.
• The ISO/IEC 27031 framework page covers ICT readiness for business continuity (IRBC). The supplier-side BCDR clause in ISO/IEC 27036-2 reads against ISO/IEC 27031 as the standards-side ICT continuity reference so the acquirer-side recovery posture does not assume supplier-side readiness without evidence.

Where SecPortal fits in an ISO/IEC 27036 programme

SecPortal is the operating layer for the supplier-relationship lifecycle, not a replacement for the standard itself, not a contract lifecycle management platform, and not a vendor risk rating service. The platform handles the workstreams that produce the ISO/IEC 27036 Part 2 evidence (engagement structure for the per-cycle supplier work, finding intake from supplier-side advisories and acquirer-side technical assessments, severity scoring under CVSS 3.1, retest evidence paired to the original finding, exception register with named owner and expiry, document management for the contract pack and the assurance evidence, the activity log auditors and regulators read against). The same workspace that hosts the supplier engagement record hosts the scan-side evidence the technical assessment depends on, so the line from clause to evidence stays traceable.

What SecPortal does not do

ISO/IEC 27036 is a lifecycle standard that depends on the acquirer operating procurement, legal, vendor risk, and security as a coordinated function. SecPortal is the operating record, not the contract lifecycle management platform, not the vendor risk rating service, and not the third-party audit firm. The honest scope below reads against the ISO/IEC 27036 boundary so the platform commitment is unambiguous.

The supplier-side workstreams the lifecycle reads against already exist as named use cases on SecPortal. The vendor security questionnaire response workflow covers the supplier-side questionnaire turnaround the acquirer-side review reads against. The third-party penetration test report intake workflow covers the acquirer-side ingestion of supplier-side pentest reports into the same findings record the direct-channel testing produces. The SBOM management and VEX publishing workflow covers the software-supplier transparency obligations the ICT supply chain part of the standard reads against. The cross-framework control mapping workflow reads the same supplier evidence pack across ISO/IEC 27036, NIST SP 800-161r1, DORA Article 28, NIS2 Article 21(2)(d), SOC 2 CC9.2, HIPAA BAA expectations, and the EU Cyber Resilience Act so the cross-regime read is reconcilable rather than reconciled per audit. The audit evidence retention and disposal workflow carries the retention and disposal discipline the contract data-return and data-destruction clauses read against.

For GRC and compliance teams running the cross-regime supplier programme, the GRC and compliance teams workspace bundles the platform with the engagement structure the supplier audit cadence reads against. For internal security teams running the technical-assessment side of the supplier programme, the internal security teams workspace covers the per-cycle technical assessment, the incident-notification handling, and the vulnerability-notification handling the operating loop runs through. For CISOs and security leaders carrying the audit-committee read against the third-party risk posture, the CISOs and security leaders workspace covers the board-side reporting model that sits on top of the supplier-relationship operating record.

For deeper reading on the disciplines this standard reads against, the third-party vendor risk assessment guide covers the buyer-side third-party risk discipline ISO/IEC 27036 reads alongside. The software supply chain security guide covers the software-side supply-chain regime Part 3 reads against, with SBOM, VEX, SLSA, SSDF, and CRA tied together. The DORA ICT third-party risk management implementation guide covers the financial-services-specific operating shape of the supplier-relationship discipline DORA Article 28 reads against. The non-human identity security guide covers the supplier-side machine-identity discipline that often lives outside the headline supplier inventory and surfaces during incident handling. The security control drift research covers the patterns that erode supplier-relationship evidence between annual reviews when the assurance is refreshed only at audit time.