Third-Party Risk Management Program: A Practitioner's Guide
Third-party risk management began as a compliance exercise: collect a questionnaire, file it, repeat annually. That model fails against a threat landscape where attackers specifically target vendors with privileged access to multiple enterprise customers. The SolarWinds, Kaseya, MOVEit, and Change Healthcare breaches all exploited trusted third-party relationships. A mature TPRM program treats vendor risk as a continuous operational discipline, not a paper exercise.
Vendor Tiering: Not All Third Parties Are Equal
The first structural decision in any TPRM program is tiering. Applying the same due diligence to a software vendor with admin access to your production environment and a catering company creates unsustainable workload with no security benefit. Define tiers by risk factors:
Tier 1 (Critical)
Vendors with privileged access to systems containing sensitive data, vendors that process regulated data (PCI, PHI, PII), vendors whose outage would halt business operations, and vendors with broad network connectivity into your environment. Examples: cloud providers, payroll processors, identity providers, EDR vendors. Full security assessment, annual on-site or detailed remote audit, contractual security requirements, continuous monitoring.
Tier 2 (High)
Vendors with limited access to sensitive systems, SaaS vendors used by most employees, vendors providing business-critical but not operationally essential services. Standard security questionnaire, annual review, contract clauses for breach notification.
Tier 3 (Standard)
Vendors with no access to sensitive data or critical systems. Basic vendor registration, minimal questionnaire, periodic review. Examples: office supplies, marketing agencies with no data access.
Security Questionnaires: What Works and What Does Not
Security questionnaires (SIG, CAIQ, custom questionnaires) are the most common TPRM tool and the most criticized. Problems: they are self-reported (vendors answer what they believe or want you to believe), they are point-in-time (security posture changes continuously), they create vendor fatigue (large vendors receive hundreds of questionnaires annually), and they rarely detect actual vulnerabilities. What questionnaires do well: establishing a documented baseline of vendor security policies, satisfying compliance requirements that mandate vendor assessments, and providing contractual evidence that you performed due diligence. Best practice: use industry-standard questionnaires (Shared Assessments SIG) rather than custom questionnaires. For Tier 1 vendors, supplement questionnaires with evidence review: ask for SOC 2 Type II reports, penetration test summaries, and independent security certifications rather than relying solely on self-reported answers.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Contract Controls
Security requirements that are not contractual are requests, not requirements. Every Tier 1 and Tier 2 vendor contract should include:
Breach notification timeline
Require notification within 72 hours of detecting a breach affecting your data. This aligns with GDPR requirements and gives you time to assess impact before regulatory deadlines.
Right to audit
Reserve the right to audit the vendor's security controls annually or upon reasonable notice. For Tier 1 vendors, exercise this right. For others, accept SOC 2 Type II in lieu of direct audit.
Subcontractor approval
Require written approval before the vendor engages a subcontractor with access to your data. This controls fourth-party risk.
Data handling and deletion
Specify how your data is stored, encrypted, and deleted at contract termination. Require written confirmation of deletion within 30 days.
Security standards compliance
Require the vendor to maintain specific certifications (ISO 27001, SOC 2 Type II, PCI DSS where applicable) throughout the contract term.
Vulnerability disclosure
Require the vendor to notify you of critical vulnerabilities in products you use within 24 hours of discovery, even if a patch is not yet available.
Continuous Monitoring
Annual questionnaires cannot detect the SolarWinds supply chain compromise that infected customers for nine months before discovery. Continuous monitoring uses external signals to track vendor security posture between formal assessments:
Attack surface monitoring
Tools like BitSight, SecurityScorecard, and RiskRecon continuously scan vendors' external-facing infrastructure for vulnerabilities, exposed credentials, misconfigured services, and dark web mentions. Scores change in real time as the vendor's posture changes.
Dark web monitoring
Monitor for your vendors' credentials appearing in breach databases or being sold on criminal forums. A Tier 1 vendor with admin credentials on dark web markets is an emergency, not an annual review item.
Typosquatting and phishing domain monitoring
Track registration of domains impersonating your key vendors. Attackers who want to conduct spearphishing via vendor impersonation register these domains in advance.
Software dependency monitoring
For software vendors, track their open-source dependencies via SBOM analysis. A vendor whose product depends on a vulnerable library may expose you before they patch.
Fourth-Party Risk
Fourth-party risk is the risk from your vendors' vendors. The MOVEit breach affected organizations that had no direct relationship with Progress Software because their vendors used MOVEit for file transfer. Managing fourth-party risk requires: mapping critical vendors' major subcontractors (request this in your TPRM questionnaire), monitoring security news for breaches at significant cloud providers and software vendors that your Tier 1 vendors use, and including fourth-party risk in your incident response planning so you know how to assess impact when a major provider like AWS, Azure, or a SaaS infrastructure vendor has a security event.
Scaling TPRM Without Spreadsheets
TPRM programs that live in spreadsheets do not scale past 50 to 100 vendors. TPRM platforms provide workflow automation for questionnaire distribution and response tracking, centralized vendor risk scoring, integration with external security ratings (BitSight, SecurityScorecard), contract and documentation storage, and audit trail generation for compliance. Leading platforms include OneTrust Third-Party Risk, ProcessUnity, Prevalent, Archer, and ServiceNow VRM. For smaller programs, consider starting with a purpose-built GRC tool (Vanta, Drata, Tugboat Logic) that includes vendor risk modules alongside your SOC 2 compliance automation.
The bottom line
TPRM maturity is measured by how quickly you can answer: which of my vendors had a breach this week, and what is my exposure? Annual questionnaires cannot answer that question. Continuous monitoring for Tier 1 vendors, combined with contractual notification requirements, closes the gap between annual reviews and real-time risk awareness.
Frequently asked questions
How do I build a vendor inventory when I don't know all my vendors?
Start with three sources: accounts payable (every vendor you pay), IT asset management (every SaaS application licensed), and your cloud environment (every third-party service integrated via API). Shadow IT discovery tools (Netskope, Zscaler, Microsoft Defender for Cloud Apps) identify unsanctioned SaaS applications in use. Combine these sources into a master vendor register. Most organizations discover 30 to 50 percent more vendors than they expected during this process.
What is the difference between a SOC 2 Type I and Type II report?
SOC 2 Type I assesses whether a vendor's security controls are suitably designed at a specific point in time. Type II assesses whether those controls operated effectively over a period (typically 6 to 12 months). For TPRM purposes, always request SOC 2 Type II reports: Type I is a design review, not an operational validation. Check the report date: a SOC 2 Type II report more than 12 months old should trigger an updated assessment request.
How many vendors should be in Tier 1?
Tier 1 should be small enough to manage with the rigorous controls it requires. Most organizations can sustainably manage 20 to 50 Tier 1 vendors with dedicated TPRM staff. If you have 200 vendors in Tier 1, you either have genuine Tier 1 exposure at that scale (large enterprises with many critical integrations) or your tiering criteria are too broad. Narrow Tier 1 to vendors with actual privileged access or regulated data processing.
What should I do when a vendor refuses to complete a security questionnaire?
Large vendors (AWS, Microsoft, Salesforce, Workday) often refuse custom questionnaires and instead provide standard security documentation: SOC 2 Type II reports, ISO 27001 certificates, penetration test summaries, and security whitepapers. Accept these in lieu of questionnaire completion for established vendors with credible certifications. For smaller vendors who refuse any assessment: document the refusal, escalate to procurement, and if the vendor relationship is Tier 1, consider the refusal itself a risk indicator that affects your risk rating.
How does TPRM relate to software supply chain security?
TPRM covers the broader vendor relationship including contractual, operational, and financial risk. Software supply chain security is a specific subset focused on the integrity of software your vendors deliver: whether their build pipelines are compromised, whether their open-source dependencies have vulnerabilities, and whether their software packages could deliver malicious code to your environment. SolarWinds demonstrated that TPRM questionnaires did not detect supply chain compromise. Supplement TPRM with software supply chain controls: SBOM requirements, binary integrity verification, and monitoring of vendor software update channels.
What regulations require a TPRM program?
Multiple regulations mandate vendor risk management programs: DORA (EU Digital Operational Resilience Act) requires financial entities to maintain detailed registers of ICT third-party providers and conduct risk assessments. HIPAA requires Business Associate Agreements (BAAs) and security assessments of PHI processors. PCI DSS 4.0 requires assessments of service providers in scope for cardholder data. SEC cybersecurity rules require public companies to disclose material risks from third-party relationships. NIST CSF 2.0 includes supply chain risk management as a core governance function.
Sources & references
- Ponemon Institute Third-Party Risk Report 2025
- Gartner IT Vendor Risk Management Guide 2025
- NIST SP 800-161r1 Cybersecurity Supply Chain Risk Management
- SEC Cybersecurity Rule Third-Party Disclosure Guidance
- ISA/IEC 62443 Supply Chain Security Standards
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.