Roadmap

Vendor / Third-Party Risk Manager

The specialist who designs, operates, and matures the organization's third-party risk management (TPRM) program. Assesses the security, financial, operational, and compliance posture of vendors and service providers throughout the full vendor lifecycle, from initial due diligence through ongoing monitoring to contract exit, to prevent third-party failures from becoming organizational incidents.

OPTIMISTIC 2–3 yearsREALISTIC 3–5 years

Stage 00

Risk and Security Fundamentals

Third-party risk managers assess risks that vendors introduce. Understanding what they are assessing is the prerequisite.

Risk Management Fundamentals

Risk vocabulary — inherent risk, residual risk, risk appetite, risk tolerance (see Risk Analyst Stage 1)
Risk treatment options — mitigate, accept, avoid, transfer
Control types — technical, administrative, physical; preventive, detective, corrective
Risk assessment methodology — identify, analyze, evaluate, treat (see Risk Analyst Stage 2 for full depth)

Security Fundamentals

CIA Triad — confidentiality, integrity, availability in the context of vendor data handling
Common vendor security risks: data breach at vendor (exposure of data the vendor processes on your behalf); vendor system compromise (attacker pivots from vendor to your environment); vendor service outage; malicious insider at vendor; software supply chain vulnerabilities
Cloud security concepts — shared responsibility in SaaS/IaaS/PaaS; vendor's cloud security posture
Authentication and access management — how vendors access your systems; privileged vendor access
Encryption — at rest and in transit; key management; relevant to data protection requirements

Business and Contract Basics

Vendor relationship types — direct supplier, service provider, software vendor, cloud provider, outsourced function
Subcontractors (fourth parties) — vendors your vendors rely on; extend risk chain
Contract components relevant to TPRM — scope, SLAs, data protection addendum (DPA), audit rights, breach notification, termination provisions, liability caps
Procurement process — how vendors are selected and onboarded; where TPRM intersects

Resources

ISACA TPRM resources (free)
NIST SP 800-161 (Supply Chain Risk Management, free)
Shared Assessments program overview (free)

Stage 01

TPRM Frameworks and Program Design

Third-party risk programs require a structured framework. Understanding the lifecycle from inherent risk scoping through exit is the operational foundation.

TPRM Lifecycle

Phase 1: Vendor Identification and Inventory: vendor registry central repository often a GRC platform; vendor categorization by type (SaaS, IaaS, professional services, hardware, staffing); identifying shadow vendors IT-contracted without business knowledge; periodic inventory refresh for vendors not formally onboarded
Phase 2: Inherent Risk Tiering: assigns risk tier before controls considered; tiering criteria include data sensitivity (PII, PHI, PCI, financial), data volume, system access level, business criticality, financial dependency, geographic considerations; common tiers Tier 1 Critical (annual), Tier 2 High (annual/biennial), Tier 3 Standard (biennial/triennial), Tier 4 Low (basic profile)
Phase 3: Due Diligence and Assessment: security assessment via questionnaire and evidence; financial assessment (viability as going concern); operational resilience (BCP/DR); compliance assessment; reputational assessment (news, litigation, ownership); fourth-party assessment of subcontractors
Phase 4: Onboarding and Contract: risk findings into contract negotiations; security addendum contractual requirements; Data Processing Agreement DPA per GDPR Article 28; SLA requirements; audit rights clause; subcontractor disclosure and approval; exit provisions for data return/destruction and transition
Phase 5: Ongoing Monitoring: annual reassessment full or abbreviated by tier; continuous monitoring signals via SecurityScorecard, Bitsight, RiskRecon, news/threat intel feeds, CISA KEV, vendor incident notifications; material change triggers (acquisition, major product changes, new sub-processors, data center changes)
Phase 6: Issue Management and Remediation: tracking findings in GRC platform; risk acceptance for unresolved findings with documented time limits; escalation for critical findings; remediation verification by confirming implemented controls
Phase 7: Offboarding / Exit: data return or certified destruction with evidence; system access revocation with audit evidence; credential rotation for credentials shared; transition planning to replacement vendor

Key TPRM Standards and Regulations

NIST SP 800-161 — Supply Chain Risk Management: foundational US government framework; practices across organization, mission/business process, system levels; key controls C-SCRM policy, supplier assessments, SBOM requirements, incident response; Rev 1 (2022) expanded guidance critical for government contractors
ISO 27036 — Information Security for Supplier Relationships: four-part standard; Part 1 concepts; Part 2 requirements for supplier security; Part 3 ICT supply chain security; Part 4 SaaS security guidelines
Financial Services Regulatory Context: OCC Guidance 2013-29 Third Party Relationships for banks; FFIEC Third-Party Risk Guidance; DORA Digital Operational Resilience Act EU 2025 for financial entities requiring ICT third-party risk assessment, regulatory register, oversight by financial regulators; SR 13-19 Federal Reserve for bank holding companies
DORA Implications: applies to EU financial entities (banks, insurance, investment firms, crypto); critical ICT third-party provider CTPP designation faces direct regulatory oversight; mandatory contractual requirements for exit strategies, audit rights, sub-processor disclosure, incident notification timelines; register of ICT third-party arrangements reported to competent authority; concentration risk assessment
NIS2 Directive EU 2024: supply chain security requirements for essential and important entities; risk management measures include supplier security evaluation; incident reporting requirements for supply chain events; member state transposition through 2024–2025
GDPR Article 28: processor requirements for any vendor processing personal data; mandatory DPA content (nature/purpose, data types, duration, controller instructions, sub-processor approval, security measures, deletion/return, audit rights, DSAR assistance); controller liability for processor failures; sub-processor chain requiring controller approval

Resources

NIST SP 800-161 (free)
ISO 27036 overview (free summaries)
Shared Assessments SIG overview (free)
DORA regulatory text (free)
FFIEC Third-Party Guidance (free)

Stage 02

Assessment Methodology — Deep

The core technical skill of TPRM is conducting rigorous, efficient vendor assessments that produce credible risk findings.

Security Questionnaires

SIG (Standardized Information Gathering Questionnaire) — Shared Assessments program industry standard: Full SIG 1,200+ questions for Tier 1/critical; SIG Lite abbreviated for lower-risk; SIG Core 18 domains (security policy, incident management, cloud, access control, network security, physical security, etc.)
CAIQ (Consensus Assessments Initiative Questionnaire) — Cloud Security Alliance cloud-specific: 300+ questions across 17 Cloud Controls Matrix domains; used for SaaS and cloud provider assessments
VSA (Vendor Security Alliance Questionnaire) — used in technology and media sectors
Custom internal questionnaires — tailored to specific vendor type or industry
AI vendor questionnaires — emerging category; training data provenance, model security, data retention, GDPR implications of AI processing
Questionnaire Process: distributing via GRC platform with email tracking and deadline management; response quality review flagging incomplete, vague, or conflicting answers; evidence review with policies, certifications (SOC 2 Type 2, ISO 27001, PCI AOC), pentest results, vulnerability scans, BCP/DR docs, training records; spot-checking by randomly verifying specific claims

SOC 2 Report Review

What SOC 2 is — AICPA attestation standard; auditor assesses service organization's controls; SOC 2 Type 1 point-in-time with suitable design (weaker signal); SOC 2 Type 2 over 6–12+ months operating effectively (stronger signal)
SOC 2 Type 2 report sections: Section I Independent Service Auditor's Report with clean or qualified opinion; Section II management assertion; Section III description of service organization's system; Section IV applicable trust services criteria and related controls with tests and results; Section V other information not audited
Trust Service Criteria: CC (Common Criteria) Security always included; Availability, Processing Integrity, Confidentiality, Privacy optional
How to read exceptions — Section IV shows tests and results; "No exceptions noted" = passed; exceptions described = control gap
Bridge letters — when audit period has ended; vendor attests no material control changes since the report; request for reports older than 12 months
Subservice organizations — vendors your vendor relies on; complementary user entity controls (CUECs) define what YOU must do for the vendor's controls to work

Penetration Test Report Review

Report components: executive summary, scope and methodology, findings, risk ratings, remediation recommendations
Critical questions: is the scope appropriate (covered systems relevant to engagement); were findings remediated (with evidence); what is testing methodology (black box, gray box, white box); how recent (within 12 months standard, 6 months for critical); who conducted (reputable firm vs self-conducted; CREST/PTES)
Red flags: no executive summary; findings with no remediation status; retested findings still open; limited scope excluding critical systems; very low finding count indicating insufficient scope

Financial Due Diligence

Financial stability assessment — can this vendor survive as a going concern?
Indicators of financial distress: significant losses, high debt-to-equity ratio, declining revenue, layoffs, executive departures, investor pressure
Data sources: public financial statements, Dun & Bradstreet, Moody's/S&P ratings, news reports, bankruptcy filings
Concentration risk — your financial exposure if this vendor fails; what is the cost to replace?
Escrow arrangements — source code escrow for critical software vendors; ensures continuity if vendor fails

Continuous Monitoring Tools

Security ratings platforms: SecurityScorecard (A–F grade from external signals — open ports, DNS, web app security, leaked credentials, IP reputation, endpoint, patching, network); Bitsight Security Ratings (widely used in financial services); RiskRecon Mastercard (outside-in web and network); Black Kite (ransomware susceptibility scoring)
What ratings measure — externally observable signals; not a substitute for detailed assessment
What ratings don't measure — internal controls, access management, encryption at rest, governance processes
Using ratings as triggers — when a vendor's rating drops significantly; trigger out-of-cycle review

Stage 03

TPRM Platforms and Tools

TPRM programs run on GRC platforms. Operational fluency with at least one platform is required for most roles.

GRC and TPRM Platforms

RSA Archer: enterprise GRC platform, highly configurable, complex implementation; vendor risk module (registry, risk scoring, questionnaire distribution, findings tracking); workflow engine for customizable approval; reporting dashboards and regulatory evidence packages; integration with SecurityScorecard, Bitsight, external sources
ServiceNow Integrated Risk Management (IRM) / Vendor Risk Management (VRM): built on ServiceNow platform; advantage if organization runs ServiceNow ITSM; VRM module for vendor onboarding, assessment, issue tracking, contract management; integration with ITSM; relatively newer than Archer, faster implementation, less flexibility
ProcessUnity: TPRM-specific platform, purpose-built (unlike Archer which is general GRC); strong questionnaire management and automation; vendor portal for self-serve questionnaire completion; SecurityScorecard and Bitsight integrations native; popular in financial services and healthcare
OneTrust GRC and Third-Party Risk: combines privacy (consent, DSR) with risk management; TPRM module for vendor assessments, risk scoring, contract management; strong for GDPR processor management with TPRM
AuditBoard: risk, audit, and compliance platform; vendor risk component within broader GRC; popular in organizations with active internal audit programs
Prevalent: TPRM-specialized; automated vendor monitoring; risk scoring; combines assessment + continuous monitoring + cyber threat intelligence

Excel-Based TPRM (Small Organizations)

Excel-Based TPRM for Small Organizations: vendor inventory spreadsheet for basic tracking before GRC investment; assessment tracking for questionnaire responses and finding status; risk register for vendor risks extending enterprise risk register; graduate when vendor count exceeds ~50 or assessment volume exceeds team capacity

Resources

Vendor platform documentation (free trials available)
Shared Assessments program resources (free)

Stage 04

Fourth-Party Risk and Concentration Risk

Modern TPRM extends beyond direct vendors to the vendors' vendors and the risks of excessive dependence on specific providers.

Fourth-Party Risk

Definition — risks introduced by your vendors' service providers (subcontractors, cloud providers, software dependencies)
Why it matters: SolarWinds attack propagated through software updates from a trusted vendor; MOVEit impacted thousands of organizations through a shared file transfer tool
Identifying fourth parties: questionnaire question asking vendor to list subcontractors with access; SOC 2 Type 2 Section III usually lists subservice organizations; DPA sub-processor list under GDPR; contractual obligation for disclosure and approval for new sub-processors
Assessing fourth-party risk: obtain SOC 2 or certifications for critical sub-processors; review vendor's subcontractor management program; right to audit sub-processors via contract clause; SBOM (Software Bill of Materials) for open-source and commercial components
Common fourth-party concentrations: AWS, Azure, GCP (most SaaS vendors run on one of three); major CDNs (Cloudflare, Akamai) whose outage impacts multiple vendors simultaneously; key software libraries (Log4j taught this lesson)

Concentration Risk

Definition — excessive dependence on a single vendor creates systemic risk; failure of one vendor could be catastrophic
Measurement: vendor dependency mapping by business process; critical vendor count per process; revenue percentage dependent on single vendor; geographic concentration in same region/datacenter
Financial sector specific — OCC and Fed examine concentration risk explicitly; single-vendor dependencies in critical functions are regulatory concerns
Mitigation strategies: multi-vendor strategy for critical functions; vendor exit planning with documented transition path; operational resilience testing exercising ability to function during vendor outage

Stage 05

Contract Management and Legal Integration

TPRM professionals work closely with legal and procurement. Understanding how risk findings translate to contractual protections is a core function.

Security Contract Provisions

Data Processing Agreement (DPA/DPA Addendum): required for GDPR-regulated processing, increasingly for US state laws; content includes data categories, purposes, duration, processor obligations, sub-processor controls, security measures, deletion/return, breach notification, DSAR assistance; prefer your template or redline vendor template
Security Addendum / Information Security Schedule: encryption at rest and in transit with minimum cipher standards; access control including MFA, least privilege, PAM; vulnerability management with patching SLAs by severity (Critical 72 hours, High 14 days); penetration testing frequency and report provision; log retention period and format; incident notification timeline (24 or 72 hours); background checks; physical security for facility access
Audit rights: right to audit or require third-party audit results; frequency annually or upon reasonable request; notice period typically 30 days for scheduled audits; scope agreed in advance limited to controls relevant to your relationship
Termination for cause — breach of security obligations gives right to immediate termination; critical for incident response scenarios
Liability and indemnification — vendor's financial responsibility for security failures; cap limits
Insurance requirements — cyber liability insurance minimum coverage; certificate provision

Procurement Integration

Pre-onboarding checkpoint — TPRM review before procurement decision is final
Risk-adjusted pricing — significant remediation requirements may affect vendor pricing decisions
New vendor alert — procurement must notify TPRM before engaging new vendors above threshold
Contract renewal process — TPRM review before renewal; update to current security requirements

Stage 06

Hands-On Practice & Portfolio

Building TPRM Experience

Volunteer for vendor assessment work — in current security/risk/compliance role
Shadow or assist TPRM team — in organizations with dedicated function
Review public SOC 2 reports — some are published; practice SOC 2 analysis with real documents
GRC platform free trials — ProcessUnity, OneTrust — request sandbox access
Shared Assessments training — free introductory materials on SIG questionnaire

What to Document on LabList

Assessment methodology documentation — how you conduct a vendor risk assessment; what evidence you require by vendor tier
SOC 2 review case study — a sample analysis of a real published SOC 2 report (noting findings, exceptions, subservice organizations)
Vendor tiering framework — design for a fictional organization's vendor risk tiering
TPRM program design document — lifecycle phases, governance, tools, metrics
Cert progression — CTPRP or CISA documented with context

FAQ

Common questions

How long does it take to become a TPRM?

2–3 years optimistic at 20–25 hours/week, 3–5 years realistic. TPRM rewards regulatory fluency, professional writing, and stakeholder management over deep technical implementation. The fastest paths come from compliance, audit, or risk analyst backgrounds with vendor-handling experience. Career-changers from contracts, procurement, or vendor management roles transition successfully when they pair their domain depth with security framework fluency.

Which certifications matter for TPRM?

CTPRP (Certified Third-Party Risk Professional) is the purpose-built TPRM credential. CRISC for risk-heavy roles. CISA for audit-overlapping TPRM. CISSP for senior TPRM positions. Shared Assessments certifications for SIG questionnaire fluency. ISO 27001 awareness for organizations with international vendor portfolios. Salary range $90K–$140K base plus performance compensation.

Do I need a degree?

Most TPRM specialists hold a bachelor's, often in business, information systems, or law. Career-changers from operations, compliance, or vendor management backgrounds transition successfully when they demonstrate framework fluency. The role is documentation-heavy and stakeholder-driven — strong professional writing and meeting facilitation outweigh deep technical credentials.

What separates a hired TPRM?

Documented vendor risk assessment work. Show a SOC 2 review you've conducted, a SIG questionnaire response analysis, and a written risk assessment report. Other differentiators: continuous monitoring tool experience (BitSight, SecurityScorecard, Black Kite), supply chain incident response participation, and DORA or NIS2 vendor compliance work. Third-party risk has moved from checkbox function to core risk domain driven by SolarWinds, MOVEit, Okta breach, and SEC supply chain disclosure rules.

Vendor / Third-Party Risk Manager

Common questions

Related roles