What Is Third-Party Risk Management?

The average enterprise uses over 1,000 third-party vendors, and 60% of data breaches involve a third-party vector. Regulations like GDPR, HIPAA, PCI DSS, and SOX hold organizations accountable for vendor security failures, not just their own. A robust TPRM program reduces breach probability, ensures regulatory compliance, protects customer trust, and provides board-level visibility into vendor risk exposure.

1. Planning & Scoping — Define your risk appetite, identify which vendors require assessment, and establish evaluation criteria based on data sensitivity and business criticality.

2. Due Diligence & Assessment — Evaluate vendor security posture through questionnaires, evidence review, and independent investigation. This includes sanctions screening, cyber risk analysis, compliance verification, and financial stability checks.

3. Contract & Onboarding — Negotiate data protection clauses, SLAs, right-to-audit provisions, breach notification requirements, and termination terms.

4. Ongoing Monitoring — Continuously track vendor risk through periodic reassessments, adverse media monitoring, and real-time threat intelligence.

5. Incident Management — Respond to vendor security incidents, coordinate remediation, assess impact, and fulfill regulatory notification requirements.

6. Offboarding — Manage vendor termination including data return or destruction, access revocation, and transition planning.

Several frameworks guide TPRM implementation: NIST Cybersecurity Framework (CSF 2.0) provides the Govern, Identify, Protect, Detect, Respond, Recover structure. ISO 27001 specifies information security management system requirements. NIST 800-53 offers a comprehensive control catalog. The Shared Assessments SIG questionnaire standardizes vendor assessment with 800+ questions across 18+ risk domains. For specific industries, HIPAA governs healthcare vendor risk, PCI DSS covers payment processors, and OCC/FFIEC guidance addresses financial services vendor management.

Traditional TPRM relies on vendor-completed questionnaires that take 4-6 weeks, return self-reported answers, and provide no independent verification. Modern approaches like autonomous investigation use publicly-available intelligence sources — sanctions databases, breach disclosures, DNS records, certificate transparency logs, court filings, and regulatory registries — to assess vendors in seconds without requiring vendor cooperation. This provides independent evidence that vendors cannot influence or curate.

For a detailed walkthrough of how this works in practice under SOC 2, see our SOC 2 Vendor Assessment Guide. For organizations with cross-border payment vendors, our sanctions screening guide covers OFAC, EU, and UN screening requirements.

Your company is preparing for SOC 2. You have 35 vendors. Here is the workflow that satisfies CC9.2.

Vendor inventory. List all 35 vendors with their name, data access level (sensitive, confidential, public), business criticality (critical, important, standard), and primary contact. This inventory is the foundation — your auditor will ask for it.

Risk tiering. Classify each vendor by assessment depth: Tier 1 critical vendors (5-8 vendors — your cloud provider, identity provider, payment processor) get full assessment. Tier 2 important vendors (10-12 vendors — collaboration tools, monitoring, CRM) get standard assessment. Tier 3 standard vendors (15-18 vendors — office supplies, design tools, low-data-access SaaS) get basic screening.

Assessment execution. This is where traditional programs break down. Sending 35 questionnaires takes months. ThirdProof produces each investigation in under under 2 minutes — 22 intelligence sources queried in parallel, deterministic risk scoring, and a PDF report with source citations. Your 35-vendor assessment queue completes in a single afternoon instead of a single quarter.

Findings documentation. Each investigation produces specific findings with severity ratings (Critical, High, Medium, Low, Info) and source attribution. Document findings in your risk register alongside the vendor's risk tier and recommended actions.

Reviewer sign-off. A human reviews each assessment and records their decision: approve, approve with conditions, or reject. ThirdProof's Review Certification page captures this sign-off with the reviewer's name and date.

Monitoring and reassessment. Set reassessment dates proportional to risk tier: Tier 1 annually, Tier 2 every 18 months, Tier 3 every 24 months. Flag any vendor with a material change (breach, acquisition, regulatory action) for immediate reassessment regardless of schedule.

Across hundreds of completed investigations, several patterns emerge consistently.

HTTP security header deficiencies are common. QuickBooks scored an F (0/100) on HTTP security headers despite being a major financial platform. Okta, an identity provider, scored F (20/100). BambooHR scored C (50/100). These are not indicators of compromise — they reflect configuration gaps on public-facing marketing sites. But they matter for compliance documentation because auditors expect you to be aware of them.

Certifications are frequently claimed but not independently verified. Dropbox claims 10 compliance certifications on its trust page, but none could be independently verified through public registries during investigation. Notion claims 7 certifications. This does not mean the certifications are fraudulent — SOC 2 reports are not published in a central registry. It means your evidence file should note the verification gap and request the actual report.

Missing subprocessor lists are widespread. Stripe, Wise, and QuickBooks had no publicly discoverable subprocessor page during their investigations. This limits fourth-party risk visibility — a gap that auditors increasingly scrutinize under CC9.2.

Strong security posture does not prevent moderate risk ratings. Stripe received Tier 4 (Low Risk) at 98% confidence with exemplary technical scores. Notion also received Tier 4 at 98% confidence. But Okta received Tier 3 (Moderate Risk) despite being an identity security vendor — driven by documented 2022-2023 security incidents. Risk tier reflects the full evidence picture, not just current technical posture.

SOC 2 — CC9.2 (Risk Assessment of Third Parties). Requires organizations to identify, assess, and manage risks associated with third-party service providers. The most common framework driving TPRM program adoption in technology companies. See our SOC 2 vendor assessment guide for CC9.2 evidence requirements.

HIPAA — Security Rule § 164.308(b)(1). Requires covered entities to ensure that business associates adequately protect PHI through written assurance (BAAs) and ongoing oversight. See our HIPAA vendor risk assessment guide for BAA determination and business associate oversight.

PCI-DSS 4.0 — Requirement 12.8. Mandates that organizations maintain a list of all third-party service providers (TPSPs) with which account data is shared, establish written agreements, and monitor their PCI compliance status annually.

CMMC Level 2 — Practice C017 (Supply Chain Risk Management). Requires defense contractors to implement supply chain risk management processes for their vendors and subcontractors. See our CMMC industry page for control mapping.

OCC 2023-17 (Third-Party Risk Management Guidance). Updated federal banking guidance requiring national banks and federal savings associations to manage risks from third-party relationships through the full lifecycle: planning, due diligence, contract negotiation, ongoing monitoring, and termination.

DORA — Article 28 (ICT Third-Party Risk). The EU's Digital Operational Resilience Act requires financial entities to manage ICT third-party risk through contractual arrangements, concentration risk assessment, and oversight of critical ICT service providers. Effective January 2025.