Third-party risk management (TPRM) is the discipline of identifying, assessing, and continuously monitoring the security risks introduced by your vendors and partners. Most modern breaches involve a third party β either as the source of compromise or as the path to it. This module covers the operating model, assessment workflow, ongoing monitoring, and the contractual provisions that matter.
Why TPRM is hard
- You don’t control vendor systems β only your relationship with them
- Vendors range from huge (AWS, Azure) to tiny (a 3-person SaaS that does one critical thing)
- One-time assessments age quickly; vendor security posture changes
- The risk is often invisible β you cannot see your vendor’s controls daily
- Regulatory expectations are rising fast (DPDP, EU DORA, RBI third-party risk guidance)
Vendor classification β tier by inherent risk
Not every vendor needs the same scrutiny. Tier vendors by:
- Data sensitivity: do they hold our customer data? PII? Financial? Source code?
- Access level: direct system access? Reads only? Privileged?
- Operational dependence: would loss of this vendor halt our business?
- Regulatory implications: are they subject to obligations we’re then liable for?
A common 3-tier model:
- Tier 1 (Critical): handles regulated/sensitive data or critical operations. Heavy assessment. Annual reassessment. Real-time monitoring
- Tier 2 (Important): some data access or operational dependence. Light assessment. Biennial reassessment
- Tier 3 (Routine): minimal data, limited operational impact. Self-attestation only. Triennial reassessment
Assessment workflow β pre-contract
- Inherent risk scoring by data + access + dependency. Determines tier
- Security questionnaire aligned to tier β SIG, CAIQ, or custom
- Evidence collection β request SOC 2, ISO 27001 cert, pentest summary, security policies
- Review and risk identification β gaps in vendor controls vs your requirements
- Risk treatment β accept, require remediation before contract, walk away
- Contract clauses β security addendum, breach notification, audit rights, data processing agreement
- Sign-off by appropriate authority (Tier 1 = CISO; Tier 3 = procurement)
Standard questionnaires
- SIG (Standardized Information Gathering) β Shared Assessments. Comprehensive (~1000 questions); subset SIG-Lite (~250 questions) for smaller engagements
- CAIQ (Consensus Assessment Initiative Questionnaire) β Cloud Security Alliance. ~300 questions focused on cloud providers
- VSAQ (Vendor Security Assessment Questionnaire) β Google’s open-source; lighter
- Custom subsets β many enterprises start from SIG and trim 60% as not applicable
What to actually verify (versus check-box)
Vendors fill in questionnaires aspirationally. The work is verification:
- SOC 2 / ISO 27001 reports β read the auditor opinion, exceptions, and CUECs (controls you must implement)
- Sample evidence β for high-risk vendors, request specific evidence (e.g., recent access review)
- Penetration test summaries β recency (within last 12 months), scope (relevant to your use case), severity of findings, remediation status
- Public security signals β Bitsight / SecurityScorecard ratings, breach history, public CVE disclosures
- Reference customers β for Tier 1, talk to existing customers about their experience
Contractual security provisions
For Tier 1 vendors, the contract should cover:
- Data Processing Agreement (DPA) β required by GDPR/DPDP if PII involved
- Breach notification β within X hours of confirmed breach affecting your data
- Audit rights β annual SOC 2 sharing; right to perform on-site audit (often capped or substituted with SOC 2)
- Subprocessor controls β vendor’s vendors who touch your data; notification of changes
- Data location β geographic constraints if required for regulatory reasons
- Encryption β required for data at rest and in transit
- Return / destruction of data at contract end
- Security incident liability β financial cap and exclusions
- Insurance β cyber liability minimums
- Termination triggers β material breach of security provisions
Continuous monitoring
Annual assessments are insufficient. Continuous signals:
π Intermediate Module Β· Basic Tier
Continue reading with Basic tier (βΉ499/month)
You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
5 more sections locked below
