This guide contains everything you need to know about conducting an information security risk assessment questionnaire at your organization.
Build a robust, compliant third‑party risk management program using our comprehensive, Notion‑based ISO 27036 TPRM Toolkit —based on the internationally recognized ISO 27036 standard.
Our toolkit transforms the formal language of the standard into actionable, project‑management–friendly steps.
Our toolkit is organized into three comprehensive phases:
Our toolkit also includes a bonus ISO 27036 Checklist to help you verify that your TPRM program aligns with the best practices outlined in ISO 27036 Parts 1 and 2.
ISO/IEC 27036 is an international standard for managing supplier relationships and the associated information security risks. It outlines best practices and requirements for assessing, selecting, monitoring, and terminating vendor relationships. By following ISO 27036, organizations ensure that both acquirers and suppliers are aligned on security responsibilities and that critical risks are managed throughout the vendor lifecycle.
ISO 27036 is broken into three distinct documents, each serving a specific purpose:
This part introduces the key principles and terminology for supplier risk management. It explains why managing third‑party risk is critical and outlines the roles of both acquirers and suppliers. Think of it as the “why” and “what” behind TPRM.
The normative core of the standard, this section provides detailed, actionable requirements for establishing, operating, and reviewing a TPRM program. It covers everything from planning and selecting vendors to monitoring and terminating relationships. Organizations can align their internal TPRM processes directly with these requirements to ensure comprehensive risk management.
This part offers additional guidance for complex, multi‑tier supply chains where vendors themselves depend on sub‑suppliers or provide hardware/software components. It delves into the technical details of securing the extended supply chain. For many organizations focused on traditional vendor relationships, ISO 27036‑2 is the primary reference, while 27036‑3 is more specialized for environments with intricate ICT dependencies.
ISO 27036 is designed for organizations of all sizes and across all industries that manage supplier relationships. While it applies to both acquirers and suppliers, it is particularly valuable for information security and risk management teams. These teams are responsible for evaluating, monitoring, and mitigating the risks associated with third‑party engagements, ensuring that every vendor relationship is managed in line with a comprehensive, lifecycle‑based framework.
No, ISO 27036 is a copyrighted standard. Official copies must be purchased from ISO or authorized distributors.
Building your TPRM program on ISO 27036 ensures that you follow internationally recognized best practices. This structured approach helps you systematically manage vendor risks, align responsibilities between acquirers and suppliers, and meet regulatory requirements—all while driving continuous improvement in your security posture.