(Supply-Chain) Risk Management according to ISO/IEC27036

Understanding Supply-Chain Information Security Risk Management
4.3 (4 ratings)
Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
30 students enrolled
80% off
Take This Course
  • Lectures 15
  • Length 2.5 hours
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works


Find online courses made by experts from around the world.


Take your courses with you and learn anywhere, anytime.


Learn and practice real-world skills and achieve your goals.

About This Course

Published 8/2015 English

Course Description

Cyber threats, hackers, espionage and warfare are increasing the amount of successful attacks on critical infrastructure and companies of all sizes. We have technologies that are somewhat successful at blocking and stoping "some" attacks.

Amidst these threat vectors many people forget some of the most obvious targets like the supply chain and the security of data, information and IP as it leaves the outsourcing company (acquirer) to the supplier. An example of this type of attack is what happened to one of the biggest SIM manufacturers of the world Gemalto.

Supply chain risk management in its simplest form:

  1. Concentrates on identifying supply chain information security risks and the likelihood of those risks being exploited by missing governance, processes and misunderstandings between acquirer and supplier
  2. What types of risks are likely to a company or possibly a nation if supply chain risks and suppliers are not managed correctly
  3. Help you identify which risks you have based on the type of supplier and more importantly which assets you need to protect
  4. Choose mechanisms, processes and procedures that can mitigate and minimize some risks

What are the requirements?

  • Be curious

What am I going to get from this course?

  • Understand Supply-Chain
  • Understand ICT Supply-Chain Risks
  • Understand how to address Information Security risks
  • Understand what ISO/IEC27036 is and how it links to the 2700X family

Who is the target audience?

  • Anyone involved in InfoSec, Risk Management, Supply Chain Management or Security

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.


Section 1: Introduction to Supply-Chain Risk Managment

This is an introduction to the course, what we will be looking at and why this is important to anyone interested in information security and supply chain security.


This section explains what risk management is and what are the major components of a simple risk management approach and program. (copyright 2014-2015 M.Goedeker)


This lecture discusses the terms and some definitions commonly used in supply chain information security and the ISO/IEC 27036.


This section discusses the need for external companies that may be needed based on process, product, service or a mixture of services in order to fulfill production and manufacturing needs.


This section explains different types of suppliers and supplier types. Each supplier type has a specific relationship and requirements as well as risk aspects.


Introducing suppliers into any supply chain that are not from the company (external) are additional risks to governance and information security. This section explains the underlying issues with external companies and securing data and information while producing products and services.


As multiple suppliers are added into the mix of risks, outsourcing it, data and information security into a multi-tiered supplier network makes governance and security more complex. This section discussed the unique challenges involving multi-tiered suppliers and their IT security risks.


Guidance on implementing controls and mechanisms to manage information security within the supply chain.


This is the structure of the ISO/IEC standard for Information security in supplier relationships.


Supply chains can also be involved in critical infrastructure and require that certain processes and mechanisims be in place to prove compliance at the national level. This requires knowledge from both the acquirer as well as the suppler in which relevant laws and regulations apply to the outsourced services and products in the supply chain.


Supply chains can also be involved in (globally relevant) critical infrastructure and require that certain processes and mechanisims be in place to prove compliance at the international level. This requires knowledge from both the acquirer as well as the suppler in which relevant laws and regulations apply to the outsourced services and products in the supply chain. As the supply chain becomes more dispersed into multi-tiers, so does the complexity and range of monitoring that is needed to ensure proper security measures are in place.


In order to satisfy the reporting and mitigating of risks at certain levels an acquirer or regulatory entity may request that suppliers either submit to a 2nd party audit or submit proof of an internal audit. In reality many suppliers have pushed back but as regulatory issues and compliance grow this will change as customer expect this to be possible. (Copyright 2014-2015 M.Goedeker)


This section looks at ways in which a company can limit or reduce risks and monitor suppliers adherence to compliance and regulatory requirements by implementing mechanisms, procedures, processes and agreements.


This lecture provides a short overview of some areas or vectors / factors of supply chain attacks from nation-states, competitors or attackers (cyber espionage, warfare, or crime). (Copyright 2014-2015 M.Goedeker)

Section 2: Exam
7 questions

This exam checks to see that course participants have understood the concepts and basics of Supply chain information security risk management. (Copyright 2014-2015 M.Goedeker)

Section 3: Course Materials
13 pages

Here are additional documents and inputs that will help you understand aspects of this introduction to supply chain security and information security based on ISO27036 and best practices.

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Michael Goedeker, Cyber Security Researcher, Speaker & Trainer, M.Sc. CISSP

Michael has worked on multiple projects globally from architecture to cyber security, working with some of the biggest fortune 50 companies and within the top 5 consulting industry. Some companies he has worked with and for include Accenture, Avanade, Dell, FSC, HP, IBM, Microsoft, Sophos and Symantec.

Michael's company (HakDefNet) currently does research and projects focused on Global Cyber Threats, International Business and Security Leadership and are aimed at making security products, processes, solutions and defense against cyber threats as easy to understand and implement as possible. Michael is also the author of the chapter "Cyber Security: Future IT-Security Challenges for Tomorrow's Leaders and Businesses", and recently participated in an interview with IGI Global Promotions Coordinator Ann Lupold, elaborating on elevating issues in cyber security and cyber espionage, as well as the challenges that leaders and businesses face in confronting such issues. He also has written for various IT, Channel and Business publications and newspapers internationally.

Michael is also certified as an ISO/IEC27001:2013 Lead Auditor and is the first cyber security trainer to ever be keynote speaker at Davos.

Ready to start learning?
Take This Course