Third-Party Risk Management Frameworks: An Overview

Shared Assessments Frameworks

Shared Assessments TPRM Framework

Shared Assessments has published a comprehensive set of TPRM best practices. This framework is designed to help organizations establish, monitor, optimize and mature their TPRM program using a standardized set of controls. The framework is divided into two sections: fundamentals and processes. Fundamentals include four sections; introduction, basics, buy-in, and governance. Processes include 8 families ranging from outsourcing analysis and due diligence to ongoing monitoring.

Shared Assessments is one of the few frameworks that is focused solely on third-party risk rather than on broader topics such as supply chain risk management or organizational information security. However, it does have the drawback that accessing the framework requires a membership fee, which can price some organizations out of using it.

Shared Assessments Standardized Information Gathering Questionnaire (SIG)

Shared Assessments also publishes a standardized information gathering questionnaire that can enable organizations to easily employ a standardized third-party risk assessment that is pre-mapped to other standards such as ISO, HIPAA, NIST, GDPR and PCI DSS. It also includes a management tool that can enable you to draw from a predefined set of questions, an implementation checklist, and guidance on what documentation to request from third-party vendors. SIG can be particularly useful for organizations that are just beginning their TPRM program.

NIST Third-Party Risk Management Frameworks

NIST Supply Chain Risk Management Framework (NIST 800-161)

NIST 800-161 is supplemental guidance to NIST 800-53 Rev 5 specifically focused on helping federal entities manage supply chain risks. Although geared towards federal entities, NIST SCRM can also prove extremely useful for designing a TPRM or SCRM program for private sector organizations. NIST 800-161 divides the supply chain risk management process into four phases: frame, assess, respond, and recover. It includes 19 control families ranging from awareness training to system and service acquisition.

While supply chain risk management and third-party risk management are not precisely the same, there is a great deal of overlap. Taking guidance from NIST 800-161 could provide an excellent basis for building a competent TPRM program. NIST 800-161 might prove particularly useful for large, multinational organizations with complex supply chains and advanced SCRM needs.

NIST Risk Management Framework (RMF) 800-37 Revision 2

NIST has also released a comprehensive risk management framework that enables companies in all sectors to integrate third-party risk management and information security management seamlessly. NIST 800-37 provides a solid foundation for managing risk across the enterprise, including those related to third and fourth parties. Section 2.8 of the NIST RMF is worth paying particular attention to when considering issues around supply chain risk. NIST 800-37 can be particularly useful when considering risk mitigation strategies for onboarding new third-party vendors.

NIST Cybersecurity Framework (CSF) v2.0

When designing vendor questionnaires, the best practices outlined in the NIST Cybersecurity Framework can prove invaluable. This library of best practices provides a set of standards that gives all participants the same reference model when discussing problems. The NIST CSF is widely considered the gold standard for building a cybersecurity program and can help you accurately measure a potential vendor's cyber risk profile as part of the assessment process. Building your vendor risk questionnaire based on controls found in NIST CSF can be particularly useful for organizations that have strong data privacy or regulatory compliance concerns.

ISO TPRM Frameworks

ISO 27001, 27002 and 27018

The ISO 27001, 27002, and 27018 standards set requirements for establishing, implementing, maintaining, and continually improving an information security management system. ISO requirements are much broader than purely third-party risk but do include a significant section on how to manage supplier risk as part of a broader information security program. When designing your TPRM program, it is worth considering not only the ISO provisions that relate to third-party risk, but also the broader information security controls that could be applied to your vendor risk assessment process.

ISO 27036

If your organization has third-party vendors and customers internationally, it may also be fitting to leverage the International Standards Organization processes specific to TPRM and information security. The ISO 27036 series has undergone multiple revisions and is currently under revision for alignment with other ISO standards. The ISO 27036 series is focused on information risks regarding the acquisition of goods and services from suppliers. The standard includes professional physical risks such as security guards, cleaners, delivery services, and equipment servicing, and more standard processes regarding the use of cloud services, data domiciles, shared compliance processes, and requirements. It can also be integrated with ISO 27036 processes to provide a more holistic cybersecurity standard.

ISO 27036 is designed to manage the entire business relationship lifecycle to include:

• Initiation - scoping, business case/cost-benefit analysis, comparison of insourcing versus outsource options as well as a variant or hybrid approaches such as co-sourcing

• Definition of requirements including the information security requirements

• Procurement including selecting, evaluating, and contracting with supplier/s

• Transition to or implementation of the supply arrangements, with enhanced risks around the implementation period

• Operation including aspects such as routine relationship management, compliance, incident and change management, monitoring

• Refresh - an optional stage to renew the contract, perhaps reviewing the terms and conditions, performance, issues, working processes

• Termination and exit

Closing Thoughts on TPRM Frameworks

Taking guidance from NIST, ISO, Shared Assessments, and other framework providers can help cut out much of the manual labor of designing your TPRM program. Frameworks such as NIST 800-161 and ISO 27036 can provide valuable information for commonly adopted controls in TPRM and SCRM programs. Other frameworks such as NIST CSF, ISO 27001, and NIST 800-37 can be extremely helpful in designing your vendor risk assessment process.

Prevalent’s third-party risk management software makes it easy to build an effective and streamlined TPRM program. With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls, including IT security, compliance, performance, contract adherence, business continuity, financial position, reputation, ethics, anti-bribery & corruption, ESG, diversity and more. The Prevalent TPRM platform is a cloud-based solution that offers automated, standardized vendor risk assessments from many of the frameworks and regulations mentioned in this post, combined with vendor risk monitoring and remediation management across the entire vendor life cycle. Prevalent’s TPRM platform offers pre-built workflows and questionnaires mapped to industry standards, making establishing and managing your TPRM program dramatically faster and less expensive than trying to do it yourself. The platform is complemented by vendor intelligence networks offering on-demand access to completed, standardized risk reports on thousands of companies. Our solutions are backed by expert professional services and managed services to help you optimize and mature your TPRM program.

Next Steps

Wondering how to evolve your TPRM program? Start with a free Third-Party Risk Program Maturity Assessment. It's built on Prevalent’s proven model with more than 15 years of experience serving hundreds of customers. After completing a 45-question survey, you'll have a one-hour consulting session with Prevalent experts and walk away with an in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.