在ISO 27001:2013 與ISO 27001:2005差異比較#4說明新版ISO27001/27002新增了12項控制措施(controls),將一一進行解說與分享:
**15.1.3 Information and communication technology supply chain
資通訊科技供應錬
Control 控制措施
Agreements with suppliers should include requirements to address the information security risks associated with Information and communications technology services and product supply chain.
與供應商之協議宜包含與資通訊科技服務及其產品供應錬相關資訊安全風險之要求。
Implementation guidance實作指引**
The following topics should be considered for inclusion in supplier agreements concerning supply chain security:
a) defining information security requirements to apply to information and communication technology product or service acquisition in addition to the general information security requirements for supplier relationships;
b) for information and communication technology services, requiring that suppliers propagate the organization’s security requirements throughout the supply chain if suppliers subcontract for parts of information and communication technology service provided to the organization;
c) for information and communication technology products, requiring that suppliers propagate appropriate security practices throughout the supply chain if these products include components purchased from other suppliers;
d) implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;
e) implementing a process for identifying product or service components that are critical for maintaining functionality and therefore require increased attention and scrutiny when built outside of the organization especially if the top tier supplier outsources aspects of product or service components to other suppliers;
f ) obtaining assurance that critical components and their origin can be traced throughout the supply chain;
g) obtaining assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features;
h) defining rules for sharing of information regarding the supply chain and any potential issues and compromises among the organization and suppliers;
i) implementing specific processes for managing information and communication technology component lifecycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements.
新版的ISO 27001/27002提及要在與供應商之協議中考量加入包含與資通訊科技服務及其產品供應錬相關資訊安全風險之要求考慮, 包括確保得到的產品功能如預期, 沒有任何非預期或不需要的功能(如:袐密通道, 後門), 此處提到的資通訊科技服務包含雲端運算服務(cloud computing services)