TPRM refers to third-party risk management and is sometimes used interchangeably with vendor risk management. It is the set of practices that organizations employ to address or minimize the impact and likelihood of cyber security events that may result from using outsourced service providers. Service providers can include vendors, suppliers, partners, and contractors, not just one layer removed, but all up and down an organization's supply chain.
As cyber threats evolve, maintaining a solid TPRM program is essential. Companies don't want to become the next Solarwinds or Kaseya. Understanding the threat landscape not only allows an organization to implement appropriate mitigating controls but also sheds light on what they should expect from their suppliers and vendors. Knowing risks will help organizations appropriately transfer, mitigate, or accept risks.
Third-party risks generally fall into the following categories:
There are a handful of challenges that are inherent in any third-party risk management system. The most obvious is that the threat landscape is constantly changing. Managing third-party risks can be labor-intensive and many organizations lack the resources and knowledge to address them. Adding to these challenges are the numerous compliance requirements that organizations may need to follow like SOC 2, HIPAA, or NIST. Many organizations rely on so many vendors or third parties that the evaluation of these entities can become a full-time job.
There are a handful of items to consider when designing and operating a third-party risk management program. Thoughtful responses to these topics will set organizations up for success.
ISO 27001 devotes an entire section to defining, addressing, and managing information security within supplier agreements. The objective of these controls is to identify cybersecurity practices that are in place to prevent an impact on the confidentiality, integrity, and availability of data.
ISO 27001 requires the following:
Learn more about Controls by reading our "What (the bleep) is a Control?" blog post.
Strike Graph helps companies build a simple, reliable and effective compliance program so that they can get their security certifications quickly, build trust with customers, and focus attention on revenue and sales.
@ 2022 Strike Graph, Inc. All Rights Reserved • Privacy Policy