ISO IEC 27036-3-2023.docx

ISO/IECINTERNATIONA1.27036-3STANDARDeditionSecond2023-06CybersecuritySupp1.ierre1.ationships一i1.inesforhardware,software,andservicessupp1.ychainsecurityCybersecuriteRe1.ationsavecIefournisseurPartie3:1.ignesdirectricespourIas6cuht6de1.acha1.nedefournitreenmaterie1.,Iogicie1.setserxficesReferencenumberISO/IEC27036-3:2023(E)©ISO/IEC2023COPYRIGHTPROTECTEDDOCUMENT©IS0/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.or啪UIBndttaeDmk<nroni(ncm11ni10tf1.*Mqn1.C6pW11opypMRHt1.onmaytheinternetoranintranet,withoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOattheaddressbe1.oworISO'smemberbodyinthecountryoftherequester.f),WV>fifiU81.andonnet8CH-1214Vernier,GenevaPhone：M1.22749O1.11觥ftte:丽丽BQrgPub1.ishedinSwitzer1.and©ISO/IEC2023-A1.1.rightsreservedb) deve1.opprocessesIOSoftWareappropriate,practicesnon-invasiveorigina1.equipmentmanufacturerc) AttemptIestsdetectCounterfeitandproductintrusionsinc1.uding:deve1.opmentandoperationsphases.providedbythesupp1.ier,thirdparties,ortheacquirer(e.g.manua1.codeinspections).3)conductvu1.nerabi1.ityscans；e)ana1.ysis,dynamicassessmentana1.ysis,verificationusingana1.ysis,codecoveragetechniquessuchasstaticCOdeg)executetoo1.stogatherevidenceofchangesresu1.tingfromremotemaintenanceactivities.1.4.12 OperationprocessISO/IEC/IEEE15288).a)indudemaintenanceSysteminintegrationoperationa1.requirements;activitiesaspartoftheupgradesecurityrequirementsinoperations.C)shipe1.ements*,securedbydefau1.t"ata1.eve1.appropriatetoacquirer'srequirements.1.4.13 Maintenanceprocessprovidetoproductthecapabi1.ityOfappropriate1.yandnianaginghardware,hardware.SoftWare,componentstorisksinhardware,software,andservicessupp1.ychain:c) UorKfidbh:石dvancePUriHuIhZsH1.显地tttaxeddktu1.sfnigq2d1itsauhitote1.accudd由auaiaHcandd) considertherisksthattrainedandknow1.edgeab1.eauthorizedservicepersonne1.arenotavai1.ab1.e,especia1.1.y1.ateinthee1.ement's1.ife；e) considerhardware,software,andservicessupp1.ychainriskswhenacquiringrep1.acementcomponentsorfie1.dadditions/mOdificatiOnS/upgrades,particu1.ar1.yiftheydonotgothroughtraditiona1.acquisitionprocessesthatexaminesupp1.ychainrisks；f) preferforma1.izedSerViCe/maintenanceagreements)wherepossib1.ee.g.usespecifiedorqua1.ifiedsparepartssupp1.iers,provideacomp1.eterecordofchangesperformedduringmaintenance(e.g.audittrai1.orchange1.og),reviewchangesmadeduringmaintenance;g) estab1.ishandimp1.ementagreementsforcompetentandsuitab1.esupportinc1.udingrefurbishedand/orsa1.vagede1.ements；considerrequiringtheorigina1.manufacturertocertifytheequipmentassuitab1.e；h) identifymethodsofverifyingthatservicepersonne1.areauthenticatedandauthorizedtoperformtheserviceworkneededatthetime,aswe1.1.asvisitormanagementprotoco1.sforandmonitoringofservicepersonne1.whenundertakingmaintenanceon-site(e.g.visitorescorts);i) deve1.opandimp1.ementanapproachforhand1.ingandprocessingreportedhardware,software,andservicessupp1.ychainanoma1.ieswhi1.einoperation；estab1.ishamethodforsubmittingaservicerequestandsecure1.ysharing1.oganderrorinformationwithsupp1.iers;j) monitorthesupp1.iersbusinesshea1.th,inc1.udingwhethertheyareacandidateformergerandacquisitionorinfinancia1.difficu1.ties;k) imp1.ementandenforcepo1.iciesonsoftwareupdatesandpatchmanagement；l) estab1.ishanadequatesupp1.yoftnstedspareandmaintenancepartsforwe1.1.beyondthe1.ifespanofthee1.ement;m) preservedocumentationforanyin-ser,icee1.ementthatisno1.ongersupportedbythesupp1.ier;n)estab1.ishprocessesforpurchasingoffau1.tye1.ementsthatcannotbesecure1.yerasedthatwou1.dc>therwisegobacktothesupp1.ier(e.g.afau1.tyharddrive)tosecure1.yphysica1.1.ydestroy.KKi做WPrOC晔VideSadditiona1.specificguidanceregardingsettingexpectationsduringthe6.4.14Disposa1.processThepurposeofthedisposa1.processinthehardware,software,andservicessupp1.ychainistoend帆BiDtiaIefyOfh出由UwaNaCeaVVarethnIdHem*cs.aa必(nier1.ytttemiMKfepidatiCidindtica1.ntendUddiSPnSa1.needs(egperanagreement,organizationa1.po1.icy,orenvironmenta1.,1.ega1.,safety,securityaspects).SeeISO/IEC/IEEE15288forfurtherinformation.丽Pg限网ich磴圈gJ轴咕M丽别豳IMrShOU1.d呢岫MIMee网曲O1.IOwft谕电成延场he1.ecti啕icdisposa1.processtoaddressinformationsecurityrisksinhardware,software,andservicessupp1.ychain,specifica1.1.ytheriskofcounterfeitproductscontaminatingthesupp1.ychain:a)OfP快幽阴雨的瓯W三由因re1.qM弹豳胧阁toreducerisksofcompromise,forexamp1.e,b)encouragethese1.ectionofe1.ementsthatcanbedisposedofinawaythatdoesnotexposeprotectedore1.ementsthatMfi)FR版用电晒热ents触Obsa1.permitoff1.oadingofdatapriortodisposa1.24©ISO/IEC2023-A)rightsreservedC)PnQhfiIibriZedtnmS【mas网1.iftuii例rfcutiondUrEgdisjttdaiHv3cdataorsensitivee1.ementstod) whenrequiredforforensicinvestigationorfor1.atercomparisonfordetectionofcounterfeits,storee1.ementsfordisposa1.toadedicatedrepositoryandmaintainthechainofcustody;e) imp1.ementproceduresforthesecureandpermanentdestructionofe1.ements,suchasusingcertifieddestructionprovid