參 考 文 獻

[1] GB/T 20984-2007 信息安全技術 信息安全風險評估規范

[2] GB/T 22080-2008 信息技術 安全技術 信息安全管理體系 要求（ISO/IEC 27001:2005）

[3] GB/T 22081-2008 信息技術 安全技術 信息安全管理實用規則（ISO/IEC 27002:2005）

[4] GB/T 22239-2008 信息安全技術 信息系統安全等級保護基本要求

[5] GB/Z 24364-2009 信息安全技術 信息安全風險管理指南

[6] GB/T 29245-2012 信息安全技術 政府部門信息安全管理基本要求

[7] GB/T 31168-2014 信息安全技術 云計算服務安全能力要求

[8] GB/T 31509-2015 信息安全技術 信息安全風險評估實施指南

[9] GB/T 32921-2016 信息安全技術 信息技術產品供應方行為安全準則

[10] ISO/IEC 20243:2015 Information technology — Open Trusted Technology Provider? Standard (O-TTPS) — Mitigating Maliciously Tainted and Counterfeit Products

[11] ISO/IEC 27002: 2013 Code of practice for information security controls

[12] ISO/IEC 27036-1 Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts

[13] ISO/IEC 27036-2 Information technology — Security techniques — Information security for supplier relationships — Part 2: Requirements

[14] ISO/IEC 27036-3 Information technology — Security techniques—Information security for supplier relationships — Part 3: Guidelines for ICT supply chain security

[15] ISO 28000:2007 Specification for security management systems for the supply chain

[16] ISO 28001:2007 Best practices for implementing supply chain security, assessments and plans –Requirements and guidance

[17] ISO 28003:2007 Requirements for bodies providing audit and certification of supply chain security management systems

[18] ISO 28004:2007 Guidelines for the implementation of ISO 28000

[19] NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations