(Supply-Chain) Risk Management according to ISO/IEC27036

Cyber threats, hackers, espionage and warfare are increasing the amount of successful attacks on critical infrastructure and companies of all sizes. We have technologies that are somewhat successful at blocking and stoping "some" attacks.

Amidst these threat vectors many people forget some of the most obvious targets like the supply chain and the security of data, information and IP as it leaves the outsourcing company (acquirer) to the supplier. An example of this type of attack is what happened to one of the biggest SIM manufacturers of the world Gemalto.

Supply chain risk management in its simplest form:

1. Concentrates on identifying supply chain information security risks and the likelihood of those risks being exploited by missing governance, processes and misunderstandings between acquirer and supplier
2. What types of risks are likely to a company or possibly a nation if supply chain risks and suppliers are not managed correctly
3. Help you identify which risks you have based on the type of supplier and more importantly which assets you need to protect
4. Choose mechanisms, processes and procedures that can mitigate and minimize some risks