ISO/IEC 27036 is the multi-part standard for information security in supplier relationships — covering overview and concepts (27036-1), requirements (27036-2), guidelines for ICT supply chain (27036-3), and cloud service security guidelines (27036-4). It provides structured requirements and guidance for how organisations should assess, contractually protect, and continuously monitor the security of their ICT suppliers, service providers, and cloud vendors — complementing ISO 27001 Annex A controls A.5.19–A.5.22 on supplier relationships.

CISA's ICT Supply Chain Risk Management Task Force Findings and Recommendations (2021) provides the US critical infrastructure perspective — identifying key ICT SCRM threats, recommended practices, and qualification criteria for ICT vendors. Together, ISO 27036 and CISA ICT SCRM provide a comprehensive third-party vendor risk management framework applicable to Indian IT firms both as buyers (managing their vendor ecosystem) and as suppliers (demonstrating trustworthiness to US clients).

🔎 TPRM Programme: Most enterprise organisations now require vendors to complete security questionnaires (CAIQ, SIG, VSA) and provide ISO 27001 / SOC 2 evidence. ISO 27036 provides the buyer-side framework for structuring these programmes — and the seller-side framework for responding efficiently.