Third-party risk management (TPRM) identifies, assesses, and controls risks introduced by vendors, suppliers, contractors, and partners who access an organization’s systems or data. Organizations cannot outsource accountability — a vendor breach that exposes customer data is still the organization’s problem from a regulatory and reputational standpoint.
Effective TPRM programs assess vendor security posture before onboarding through questionnaires, audits, and certifications like SOC 2 reports. They establish contractual security requirements and monitor vendor security continuously, not just at contract signing.
CISSP Relevance
Third-party risk management is covered in Domain 1 (Security and Risk Management). CISSP candidates must understand vendor assessment processes, contractual security requirements, supply chain risk considerations, and how third-party risk fits into the broader enterprise risk management program.
External reference: NIST SP 800-161 Cybersecurity Supply Chain Risk Management
Related terms: Supply Chain Attack, Risk Management