TPRM Resources
Quick reference for compliance standards, risk management frameworks, and due diligence fundamentals.
Deep Dive Guides
What Is Third-Party Risk Management (TPRM)?
Third-party risk management (TPRM) is the process of identifying, assessing, monitoring, and mitigating the risks that arise when organizations rely on external...
Vendor Due Diligence Checklist
Before you onboard a vendor that touches sensitive data, here is everything you need to check — and what to document. This checklist is organized by assessment ...
Vendor Risk Assessment Template
A vendor risk assessment is a structured evaluation that scores and classifies vendors by risk level based on the type of data they access, their security postu...
SOC 2 Vendor Assessment Guide
SOC 2 (System and Organization Controls 2) is the most widely requested vendor assurance report in the technology industry. Developed by the AICPA, SOC 2 evalua...
What Is Vendor Risk Management (VRM)?
Vendor risk management (VRM) is the discipline of identifying, evaluating, and controlling risks associated with third-party vendors and suppliers. While closel...
Sanctions Screening for Vendor Due Diligence
Sanctions screening is the process of checking whether a vendor, its principals, or its parent entities appear on government-maintained sanctions lists — primar...
FedRAMP Vendor Authorization Status
FedRAMP (Federal Risk and Authorization Management Program) is the US government's standardized approach to security assessment, authorization, and continuous m...
What Compliance Teams Expect in Vendor Risk Reports
Your auditor just asked for your CC9.2 vendor management evidence. What exactly do they want to see? After reviewing hundreds of vendor risk assessments across ...
Present Vendor Due Diligence to Your SOC 2 Auditor
CC9.2 is the control where most SOC 2 audits hit friction. Here is how to walk into fieldwork with your vendor management evidence already accepted....
Vendor Risk Assessment Without Questionnaires
Security questionnaires take 4-6 weeks, require vendor cooperation, and produce self-reported data you cannot verify. There is a better way....
HIPAA Vendor Risk Assessment Requirements
The HIPAA Security Rule requires covered entities to assess the risk of every business associate that touches PHI. Most organizations do this with a spreadsheet...
FedRAMP Compliance Check — Verify Vendor Status
Your procurement team just asked whether a vendor is FedRAMP authorized. Here is how to check — and what to do when they are not....
FedRAMP Authorized Vendor List (2026)
FedRAMP (Federal Risk and Authorization Management Program) is the US government's standardized approach to security assessment, authorization, and continuous m...
Compliance Standards
PCI DSS
Payment Card Industry Data Security Standard
Security standard for organizations that handle credit card data. Covers network security, data protection, vulnerability management, and access control.
Official Documentation →HIPAA
Health Insurance Portability and Accountability Act
US federal law requiring protection of patient health information. Covers Privacy Rule, Security Rule, Breach Notification, and Business Associate requirements.
Official Documentation →SOX
Sarbanes-Oxley Act
US law mandating financial reporting controls for public companies. Covers internal controls over financial reporting, IT general controls, and access management.
Official Documentation →SOC 2
System and Organization Controls
AICPA framework covering security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II is the most widely requested vendor assurance report.
Official Documentation →GDPR
General Data Protection Regulation
EU regulation governing collection, processing, and storage of personal data. Establishes data subject rights and mandatory 72-hour breach notification.
Official Documentation →CCPA / CPRA
California Consumer Privacy Act
California privacy laws granting consumers rights over personal information including rights to know, delete, opt-out, and limit use of sensitive data.
Official Documentation →Risk Management Frameworks
NIST CSF 2.0
Cybersecurity Framework
Voluntary framework organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover.
Official Documentation →NIST 800-53
Security & Privacy Controls
Comprehensive catalog of 1,000+ controls across 20 families for federal systems, widely adopted in private sector.
Official Documentation →ISO 27001 / 27002
Information Security Management
International standard specifying ISMS requirements (27001) with 93 implementation controls (27002).
Official Documentation →COSO ERM
Enterprise Risk Management
Integrated framework covering governance, strategy, performance, review, and communication for enterprise risk.
Official Documentation →SIG
Standardized Information Gathering
Shared Assessments questionnaire covering 18+ risk domains with 800+ questions for third-party assessment.
Official Documentation →TPRM Lifecycle
Planning & Scoping
Define TPRM strategy, identify vendors requiring assessment, establish risk appetite and criteria.
Selection & Due Diligence
Evaluate vendors through risk assessments, security reviews, compliance verification, and financial analysis.
Contract Negotiation
Establish SLAs, data protection clauses, right-to-audit, breach notification, and termination clauses.
Ongoing Monitoring
Continuous oversight through periodic reassessments, incident monitoring, and risk posture tracking.
Termination & Offboarding
Data return/destruction, access revocation, transition planning, and final compliance verification.
Continuous Improvement
Program evaluation, metrics analysis, regulatory adaptation, and process optimization.
Due Diligence Activities
Get the full knowledge base
inside ThirdProof
Logged-in users get detailed breakdowns, ThirdProof coverage mapping, and authoritative source links for every standard, framework, and activity.
Start Free Trial →