ISO/IEC 27036 is a multi-part standard offering guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers. The implied context is business-to-business relationships, rather than retailing, and information-related products. The terms acquisition and acquirer are used rather than purchase and purchasing since the process and the risks are much the same whether or not the transactions are commercial (e.g. one part of an organization or group may acquire products from another part as an internal transfer without literally paying for them).
ISO/IEC 27036-1:2014 - Information security for supplier relationships — Part 1: Overview and concepts
ISO/IEC 27036-2:2014 - Information security for supplier relationships — Part 2: Requirements
ISO/IEC 27036-3:2013 - Information security for supplier relationships — Part 3:- Guidelines for ICT supply chain security 
ISO/IEC 27036–4:2016 - Guidelines for security of cloud services