Third-party risk management (TPRM): a practical guide
Third-party risk management (TPRM) is how an organisation assesses and keeps an eye on the outside vendors it depends on, so that a supplier's weakness does not quietly become its own. It usually runs as a lifecycle: screen a vendor before onboarding, assess them with questionnaires and evidence, set the right contract terms, and then re-check them on a schedule.
What counts as a third party
A third party is anyone outside your organisation who touches your data, your systems, or your customers. That includes the obvious SaaS tools and data processors, but also contractors, payment providers, and outsourced support. It is worth thinking about fourth parties too: the vendors your vendors rely on, because their problems can still land on you.
Why TPRM matters
Outsourcing the work does not outsource the risk. If a supplier mishandles your customers' data, your customers and your regulators still look to you. A large share of breaches reach an organisation through one of its suppliers, which is why customers now run their own diligence on you, and why you, in turn, have to run it on the vendors you bring in.
The TPRM lifecycle
- 1Inventory your third parties, so you actually know who has access to what.
- 2Tier them by risk, based on the data they touch and how critical they are.
- 3Run due diligence before onboarding, using questionnaires plus supporting evidence.
- 4Put controls in the contract: a DPA, security terms, and breach-notification commitments.
- 5Monitor continuously, rather than treating onboarding as a one-time check.
- 6Reassess on a schedule that matches each vendor's risk tier.
- 7Offboard cleanly: revoke access and confirm your data is returned or deleted.
What to assess
The depth should match the vendor's risk tier, but most assessments look at:
- Security controls: access, encryption, monitoring, and incident response.
- Data protection and privacy, including where data is stored and processed.
- Compliance and certifications, such as SOC 2 or ISO 27001.
- Financial stability and the risk of the vendor simply going away.
- Business continuity and disaster recovery.
- Sub-processors and other fourth-party dependencies.
Where questionnaires and evidence fit
A security questionnaire gathers a vendor's assertions: what they say they do. Evidence backs those assertions up: a SOC 2 report, an ISO certificate, a penetration-test summary, or a published policy. The assessor's real job is to reconcile the two, so a questionnaire without evidence, or evidence without context, only tells half the story.
If you are the vendor being assessed
Most teams sit on both sides of this: you assess your suppliers, and your customers assess you. On the answering side, a maintained, source-backed answer library turns each new assessment into reuse rather than a rewrite. Tools that draft from your own approved material and verify each answer before it goes out reduce both the effort and the risk of saying something you cannot stand behind.
Frequently asked questions
What does TPRM stand for?
TPRM stands for third-party risk management: the process of identifying, assessing, and monitoring the risks that come from the external vendors and suppliers an organisation relies on.
What is the difference between TPRM and a security questionnaire?
TPRM is the whole programme for managing vendor risk across its lifecycle, from onboarding to offboarding. A security questionnaire is one tool used within it, to gather a vendor's security assertions during due diligence and periodic reviews.
How often should third parties be reassessed?
It should be risk-based. Critical vendors and any that handle sensitive data are commonly reassessed annually, lower-risk vendors less often, and all of them on a material change such as a breach, an acquisition, or a major change in the service.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.