scope:

This part of ISO/IEC 27036 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, Build-Operate-Transfer and cloud computing services. These requirements are intended to be applicable to all organisations, regardless of type, size and nature. To meet these requirements, an organisation should have already internally implemented a number of foundational processes, or be actively planning to do so.These processes include, but are not limited to, the following: governance, business management, operational and human resources management, and information security. NOTE The user of this document needs to correctly interpret each of the forms of the expression of provisions (e.g. "shall", "shall not", "should" and "should not") as being either requirements to be satisfied and/or recommendations where there is a certain freedom of choice. ISO/IEC 27000 Annex A should be consulted for further clarification.