With the release of ISO/IEC 27036:2013, the new International Standard for ICT supply chain security, it has become apparent to me that not many organisations have considered the information security risks posed from the ICT supply chain. There have, for instance, been rumours going around for years that certain countries embed devices manufactured in their countries with malicious code, but there hasn’t been any guidance on how you can address this type of information security risk until now.
The release of ISO/IEC 27036:2013 changes this. This Standard gives clear guidance on how you can gain visibility into a diverse ICT supply chain and how you can respond to risks by integrating information security process and practices into existing system and software lifecycle processes, while supporting the information security controls in ISO/IEC 27002.
If you haven’t considered this often-overlooked aspect of information security, you should order a copy of ISO/IEC 27002.