व य पक पट ररच लन मस द

व य पक पट ररच लन मस द प रल ख प र क षण स ज ञ पन स दर भ ददन क एलआईट ड 17/ट -121 28-01-2019 कन क सवमव : एलआईट ड 17 ऩ न व ऱ क न म: 1) स चन प रण ल स रक ष एव ब य म ट र क ववषय सवमव, एऱआईट ड 17 2) इऱ क ट र ननक एव स चन प र द य गगक ववभ ग ऩररषद एऱआईट ड स क प रध न सदस य 3) अन य र गच रखन व ऱ मह दय(य ) ननम नलऱखखत प रऱ ख क अवऱ कन कर : एलआईट ड 17(13570) आईएसओ/आईईस : 27036-2:2014 स चन प र द य ग क - स र तकन क - आऩ र त कर क स बद ध ह त स चन स र - भ 2: आवश यकत ए क ऩय इस मस द क अवऱ कन कर और अऩन सम मनतय, यह बत त ह ए कक यदद यह भ रत य म नक प रक ल त ह त अमऱ करन म आऩ क व यवस य म क ट य कद न ईय आ सकत ह, भ ज सम मनतय भ जन क अ नतम नतग : 27-03-2019 यदद क ई सम मनत प र प त नह ह त य सम मनत सम ऩ दक य प रक नत क ह त ह त क ऩय य अन न न तम ह त उऩर क ट त मस द क लऱए आऩक अन म दन म न ऱ न क अन मत द त वऩ, यदद आऩक सम मनत क प रक नत तकन क ह त यदद च यर म न ववषय सलमनत द व र ऐस रहन व न त ह त इस आग क आवश यक क रव ई क लऱए च यर म न ववषय सलमनत क ऩ स ऩर म र ह त य ववषय सलमनत क ऩ स अवऱ क र करक अन न न तम ककय ज एग यह दस त व ज ब आईएस व बस इट (www.bis.gov.in, Standardization<<<Standards Formulation<<<Drafts under wide circulation<<< Electronics & Information Technology) ऩर भ ह स ट ककय गय ह धन यव द, भवद य, स ऱग नक : उऩर क ट त (र न गगर) प रम ख (इऱ क ट र ननक व आईट ) ईम ऱ: hlitd@bis.gov.in, litd17@bis.gov.in ट लऱ: 011-23608235

DRAFT IN WIDE CIRCULATION Document Dispatch Advice Ref Date LITD17/T- 121 28-01-2019 Technical Committee: LITD 17 ADDRESSED TO: 1. All Members of Information System Security and Biometrics Sectional Committee, LITD 17 2. All Principal Members of Electronics and Information Technology Division Council (LITDC) 3. All others interested Dear Madam/Sir(s), Please find enclosed the following draft Indian Standard: LITD 17(13570) ISO/IEC 27036-2:2014 Information Technology Security Techniques Information Security For Supplier Relationships Part 2: Requirements Kindly examine this draft standard and forward your views stating any difficulties, which you are likely to experience in your business or profession, if this is finally adopted as National Standard. Last Date for comments: 27-03-2019 Comments if any, may please be made in the format indicated and mailed to the undersigned. In case no comments are received or comments received are of editorial nature, You will kindly permit us to presume your approval for the above document as finalized. However, in case of comments of technical in nature are received then it may be finalized either in consultation with the Chairman, Sectional Committee or referred to the Sectional committee for further necessary action if so desired by the Chairman, Sectional Committee. This document has been also hosted on BIS website (www.bis.gov.in, Standardization<<<Standards Formulation<<<Drafts under wide circulation<<< Electronics & Information Technology) Thanking you, Yours faithfully, Encl: As above (Reena Garg) Head (Electronics & IT) E-mail: litd17@bis.gov.in hlitd@bis.gov.in Tele: 011-23608235

Doc. No. : LITD 17 (13570) IS/ISO/IEC 27036-2:2014 BUREAU OF INDIAN STANDARDS DRAFT FOR COMMENTS ONLY Draft Indian Standard INFORMATION TECHNOLOGY SECURITY TECHNIQUES INFORMATION SECURITY FOR SUPPLIER RELATIONSHIPS Part 2: Requirements Last date for receipt of comments is: 27 March 2019 ICS 35.040 Information Systems Security and Biometrics Sectional Committee, LITD 17 NATIONAL FOREWORD (Formal clauses to be added later) This Draft Indian Standard (Part 2) which is identical with ISO/IEC 27036-2:2014 Information Technology Security Techniques Information Security For Supplier Relationships Part 2: Requirements issued by International Organization for Standardization (ISO) and International Electro technical Commission (IEC) will be adopted by the Bureau of Indian Standards on the recommendations of the Information Systems Security and Biometrics Sectional Committee, and approval of the Electronics and Information Technology Division Council.

Other parts in this series are: Part 1 Overview and Concepts Part 3 Guidelines for Information and Communication Technology Supply Chain Security Part 4: Guidelines for security of cloud services The text of ISO/IEC Standard may be approved as suitable for publication as an Indian Standard without deviations. Certain conventions are, however, not identical to those used in Indian Standards. Attention is particularly drawn to the following: a) Wherever the words International Standard appear referring to this standard, they should be read as Indian Standard. b) Comma (,) has been used as a decimal marker while in Indian Standards, the current practice is to use a point (.) as the decimal marker. In this adopted standard, reference appears to certain International Standards for which Indian Standard also exist. For undated references, the latest edition of the referenced document applies, including any corrigenda and amendment.the corresponding Indian Standard which is to be substituted in its respective place is listed below along with its degree of equivalence for the edition indicated: International Standard Corresponding Indian Standard Degree of Equivalence ISO/IEC 27000 Information technology Security techniques Information security management systems Overview and vocabulary ISO/IEC 27036-1 Information technology Security techniques Information security for supplier relationships Part 1: Overview IS/ISO/IEC 27000:2018 Information technology Security techniques Information security management systems Overview and vocabulary (Under Print) IS/ISO/IEC 27036-1:2014 Information technology Security techniques Information security for supplier relationships Part 1: Overview and concepts Identical with ISO/IEC 27000:2018 Identical with ISO/IEC 27036-1:2014

and concepts Scope of ISO/IEC 27036-2:2014 is as follows: This part of ISO/IEC 27036 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, Build-Operate-Transfer and cloud computing services. These requirements are intended to be applicable to all organizations, regardless of type, size and nature. To meet these requirements, an organization should have already internally implemented a number of foundational processes, or be actively planning to do so. These processes include, but are not limited to, the following: governance, business management, risk management, operational and human resources management, and information security. Note: The Technical content of this document has not been enclosed as these are identical with the corresponding ISO/IEC Standard. For details please refer ISO/IEC 27036-2:2014 or kindly contact. Initial Comments sent by some stake holders are placed at Annexure -1.Reoslution of these will take place along with comments received during the wide circulation stage.

Head Electronics & IT Department Bureau of Indian Standards 9, B.S. Zafar Marg, New Delhi-110002 Email: hlitd@bis.gov.in litd17@bis.gov.in Tele: 011-23608235 Annexure -1 TEMPLATE FOR SENDING COMMENTS ON BIS DOCUMENTS Date: Document No.: ISO/IEC 27036(Part 2):2016 Name of the Commentator/ Organization: Sanjeev Chhabra (HCL) Title of the Document: Information technology -- Security techniques -- Information security for supplier relationships -- Part 2 Requirements Abbreviation of the Commentator/Organization: SC (Comments on each clause/subclause/table/fig, etc be started on a fresh box. Information in column 5 should include reasons for the comments/suggestions for modified wordings of the clauses when the existing text/provision is found not acceptable. Adherence to this format facilitates Secretariat s work) Abbreviation of the Commentator/O Clause/ Subclause No. Paragraph No. / Figure No. / Type of Comment 1) Comments/Suggestions along with Justification for the Proposed Change Proposed Change/Modified Wordings rganization (e.g. 3.1) Table No. (e.g. Table 1)

(1) (2) (3) (4) (5) (6) SC Line item 6.1.2.1 (2) pg 4 Grammatical /Language Ambiguous/unclear statement SC 6.1.1.2, point 5, (i) 1- Pg 5 Technical Past security relevant performance - not clear, is it reference to previous audit reports? SC 6.1.1.2, point 5, (iii)- Pg5 Grammatical /Language Methods for assessing supplier acceptance depend upon following, may replace previous statement SC 6.3.5 page 13 a) Technical first line, "if applicable" should be removed, Configuration management process should be followed first line, "if applicable" should be removed, Configuration management process should be followed SC 6.3.5 page 13 a) line 2 (under note) Grammatical /Language should be read as "The purpose of this process is to establish & maintain the integrity of all identified elements/resources of a project or process... SC General Overall document is content heavy & may find it difficult to accept & implement in Indian or even international scenario. Only select few high worth acquirer & supplier may able to comply with this, a typical organisation may need 2-3 years to reach to a working st age in line with this document

TEMPLATE FOR SENDING COMMENTS ON BIS DOCUMENTS Date: Document No.: Title of the Document: Name of the Commentator/ Organization: Abbreviation of the Commentator/Organization: (Comments on each clause/subclause/table/fig, etc be started on a fresh box. Information in column 5 should include reasons for the comments/suggestions for modified wordings of the clauses when the existing text/provision is found not acceptable. Adherence to this format facilitates Secretariat s work) Abbreviation of the Commentator/ Organization Clause/ Subclause No. (e.g. 3.1) Paragraph No. / Figure No. / Table No. (e.g. Table 1) Type of Comment 1) Comments/Suggestions along with Justification for the Proposed Change Proposed Change/Modified Wordings (1) (2) (3) (4) (5) (6) 1) Type of comment: ge = general te = technical ed = editorial BIS electronic commenting template/version 2017/01 page 1 of 1