Setting up a third-party risk management program is a complex process that involves managing hundreds, or even thousands, of vendors across multiple continents and legal jurisdictions. Companies must address various third-party risks, including financial risks, cybersecurity exposures, legal actions, performance failures, and potential operational disruptions for each vendor or supplier. As organizations increasingly outsource significant portions of their workloads, building a comprehensive TPRM program has become more critical than ever.
While no single TPRM approach works for every organization, some commonly used frameworks provide a solid starting point. These include IT controls and supply chain cybersecurity frameworks from the National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO), as well as frameworks aligned with other risk types like environmental, social, and governance (ESG). Third-party risk management policies guide organizations in building, applying, managing, and implementing best practices derived from these frameworks.
Third-party risk management frameworks offer a roadmap for organizations to build their TPRM programs based on industry-standard best practices. These frameworks can serve as the foundation for a TPRM program and provide baseline control requirements for third-party vendors and suppliers depending on the types of risks your organization deems important to assess.
TPRM frameworks generally fall into security and non-security categories:
Third-party risk is an increasingly crucial aspect of enterprise risk management. Companies today rely on a vast array of global suppliers and vendors, making them vulnerable to disruptions ranging from mild to severe. These disruptions can stem from bankruptcies, geopolitical events, or data breaches that affect third parties.
TPRM and information security frameworks provide valuable controls and guidance for organizations aiming to mitigate risks in third-party relationships. For instance, the Shared Assessments TPRM framework covers the entire vendor risk management lifecycle, offering a comprehensive guide to building a robust TPRM program.
Frameworks such as NIST 800-161, ISO 27036, and Shared Assessments provide a solid basis to develop a TPRM program. Information security frameworks like ISO 27001, NIST CSF, and NIST 800-37 guide the vendor risk assessment process and help create questionnaires that accurately assess a company's cybersecurity maturity.
Each framework may give your organization some control to comprehensively meet regulatory, risk management, and due diligence goals. Many organizations choose to work exclusively with NIST or ISO and draw from multiple frameworks and guidance documents from those organizations when developing their program. For example, an organization may base its supply chain risk management program on NIST 800-161 and draw on NIST 800-53 elements, NIST CSF v2.0, and NIST RMF to fully develop its program and vendor assessment approach. Consider your organizational needs and requirements before choosing a framework.
When implementing a third-party risk management framework, companies must examine the nature of the risk involved and deal with changing business, regulatory, and legal environments. Understanding organizational risks is the first step in choosing the proper framework for your company. These risk categories include (but may not be limited to):
TPRM isn’t just about ensuring that a partnership does not expose your organization to intolerable risk potential; it is also about rewarding vendors that reduce your organization's risks through their practices. That’s why selecting the correct TPRM framework and understanding its impact on your ecosystem of external vendors is essential. When you are choosing the frameworks to help build your TPRM program, consider the following:
Once you have identified the specific business problems you need to address, examine individual information security, supply chain, and non-cyber risk management frameworks. Shared Assessments, NIST 800-161, and ISO 27036 can provide specific examples of important SCRM and TPRM controls, while information security frameworks like NIST CSF can drive your third-party risk management processes.
Keeping Up With Changing Third-Party Risk Management Frameworks
Join our compliance experts in this on-demand webinar as they provide their best practices for staying on top of the ever-evolving world of third-party risk management compliance frameworks.
Shared Assessments has published a comprehensive set of TPRM best practices. This framework is designed to help organizations establish, monitor, optimize, and mature their TPRM program using a standardized set of controls. The framework is divided into two sections: fundamentals and processes. Fundamentals include four sections: introduction, basics, buy-in, and governance. Processes include eight families ranging from outsourcing analysis and due diligence to ongoing monitoring.
Shared Assessments is one of the few frameworks focused solely on third-party risk rather than broader topics such as supply chain risk management or organizational information security. However, a membership fee is required.
Shared Assessments publishes a standardized information-gathering questionnaire that enables organizations to conduct third-party risk assessments that are easily pre-mapped to standards like ISO, HIPAA, NIST, GDPR, and PCI DSS. It includes a management tool that lets you select predefined questions, an implementation checklist, and guidance on what documentation to request from third-party vendors. SIG is beneficial for organizations that are starting their TPRM programs.
NIST 800-161 is supplemental guidance to NIST 800-53 Rev 5 specifically focused on helping U.S. federal entities manage supply chain risks. Although geared towards federal entities, NIST 800-161 can also prove extremely useful for designing a TPRM or SCRM program for private sector organizations. NIST 800-161 divides the supply chain risk management process into four phases: frame, assess, respond, and recover. It includes 19 control families ranging from awareness training to system and service acquisition.
While supply chain risk management and third-party risk management differ, significant overlap exists. Taking guidance from NIST 800-161 could provide an excellent basis for building a competent TPRM program. NIST 800-161 benefits large, multinational organizations with complex supply chains and advanced SCRM needs.
NIST has also released a comprehensive risk management framework that enables companies in all sectors to integrate third-party risk management and information security management seamlessly. NIST 800-37 provides a solid foundation for managing risk across the enterprise, including those related to third and fourth parties. Section 2.8 of the NIST RMF is worth paying particular attention to when considering issues around supply chain risk. NIST 800-37 can be particularly useful when considering risk mitigation strategies for onboarding new third-party vendors.
When designing vendor questionnaires, the best practices outlined in the NIST Cybersecurity Framework can prove invaluable. This library of best practices provides a set of standards that gives all participants the same reference model when discussing problems. The NIST CSF is widely considered the gold standard for building a cybersecurity program. It can help you accurately measure a potential vendor's cyber risk profile as part of the assessment process. Building your vendor risk questionnaire based on controls found in NIST CSF can be particularly useful for organizations with strong data privacy or regulatory compliance concerns.
ISO 27001 & 27002
The ISO 27001 and 27002 standards set requirements for establishing, implementing, maintaining, and continually improving an information security management system. ISO requirements are much broader than purely third-party risk but include a significant section on managing supplier risk as part of a broader information security program. When designing your TPRM program, it is worth considering the ISO provisions that relate to third-party risk and the broader information security controls that could be applied to your vendor risk assessment process.
ISO 27036-2
If your organization has international third-party vendors and suppliers, leveraging the International Organization for Standardization processes specific to TPRM and information security may also be a good fit. ISO 27036-2 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining, and improving supplier and acquirer relationships.
This standard is particularly relevant for third-party risk management as the requirements cover procurement and supply of products and services. Clauses 6 and 7 define fundamental and high-level information security requirements applicable to managing several supplier relationships at any point in that supplier relationship lifecycle. The standard includes professional physical risks such as security guards, cleaners, delivery services, equipment servicing, and more standard processes regarding cloud services, data domiciles, shared compliance processes, and requirements. ISO 27036-2 is designed to manage the entire business relationship lifecycle to include:
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
ESG frameworks guide organizations in disclosing data on their environmental impact, social practices, and governance structures by providing a standardized blueprint for measuring and reporting sustainability and ethical impact. Developed by entities like NGOs, governments, and business groups, these frameworks define the metrics to track, the reporting format, and the disclosure frequency. They are crucial for standardizing ESG reporting across your supply chain, enabling stakeholders such as investors, regulators, and consumers to assess and compare organizations' performance. While some frameworks offer voluntary flexibility, others are government-mandated, requiring strict compliance.
Carbon Disclosure Project (CDP)
The CDP is a benchmark framework focusing on environmental governance and policy, risks and opportunity management, and environmental targets. It offers detailed questionnaires on climate change, water, and forests, which accredited partners score. The CDP is particularly valuable for organizations looking to improve transparency and accountability in their environmental practices.
Global Reporting Initiative (GRI)
The GRI is one of the most widely used voluntary ESG frameworks. It provides comprehensive standards for reporting on economic, environmental, and social issues. The GRI’s modular structure allows organizations to choose the standards most relevant to their material topics, making it a flexible and widely applicable framework.
Corporate Sustainability Reporting Directive (CSRD)
The CSRD
is a regulatory framework developed by the European Union. It requires organizations to report on various sustainability topics, including environmental and social issues. The CSRD emphasizes double materiality, requiring companies to consider financial and societal impacts in their reporting. This framework is mandatory for organizations operating in the EU and is expected to impact thousands of companies worldwide.
Taking guidance from NIST, ISO, Shared Assessments, and other framework providers can help cut out much of the manual labor of designing your TPRM program. The NIST 800-161 and ISO 27036-2 frameworks can provide valuable information for commonly adopted controls in TPRM and SCRM programs. Other frameworks, such as NIST CSF, ISO 27001, and NIST 800-37, can be extremely helpful in designing your vendor risk assessment process, while CDP, GRI, and others focus on ESG reporting in your supply chain.
The Prevalent Third-Party Risk Management Platform simplifies the process of building an effective and streamlined TPRM program. It enables you to quickly gather information on vendor controls, including IT security, compliance, performance, contract adherence, business continuity, financial position, reputation, ethics, anti-bribery and corruption, ESG, diversity, and more. You can then correlate these findings with continuous monitoring insights to validate control effectiveness.
Prevalent helps automate and standardize vendor risk assessments using various frameworks and regulations while offering vendor risk monitoring and remediation management throughout the third-party risk life cycle. With pre-built workflows and questionnaires mapped to industry standards, the platform makes establishing and managing your TPRM program significantly faster and more cost-effective. Additionally, it provides on-demand access to complete, standardized risk reports on thousands of companies through its vendor intelligence networks.
Contact Prevalent for a free maturity assessment to determine how your current TPRM policies stack up, or request a demo of the Prevalent TPRM Platform today.
Third-Party Risk Management (TPRM) has advanced from being an annual checklist exercise to a critical daily...
10/07/2024
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Learn how to leverage vendor risk assessment questionnaires for stronger third-party risk management, including a customizable...
09/18/2024