ISO/IEC 27036-3:20 23本文件为产品和服务购买者以及硬件、软件和服务供应商提供有关以下方面的指导: a)了解并管理由物理上分散和多层的硬件、软件和服务供应链引起的信息安全风险； b)应对源自这种物理上分散的多层硬件、软件和服务供应链的风险，这些风险可能会对使用这些产品和服务的组织产生信息安全影响； c)将信息安全过程和实践集成到系统和软件生命周期过程中，如ISO/IEC/IEEE 15288和ISO/IEC/IEEE 12207中所述，同时支持信息安全控制，如ISO/IEC 27002中所述。 本文档不包括硬件、软件和服务供应链中涉及的业务连续性管理/弹性问题。ISO/IEC 27031解决了信息和通信技术为业务连续性做好准备的问题。

ISO/IEC 27036-3:2023 This document provides guidance for product and service acquirers, as well as suppliers of hardware, software and services, regarding:
a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains;
b) responding to risks stemming from this physically dispersed and multi-layered hardware, software, and services supply chain that can have an information security impact on the organizations using these products and services;
c) integrating information security processes and practices into the system and software life cycle processes, as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, while supporting information security controls, as described in ISO/IEC 27002.
This document does not include business continuity management/resiliency issues involved with the hardware, software, and services supply chain. ISO/IEC 27031 addresses information and communication technology readiness for business continuity.