Third-Party Risk Management (TPRM)
Third-Party Risk Management (TPRM)
A third party is a person or an organization, external to an organization that provides services. Third-party risks can be defined as “an expression of the combination of the probability of an event and its consequence.”

An independent Third-Party survey of information technology and security managers, directors, and executives and found that “With 63 percent of all data breaches linked directly or indirectly to third-party access”.


According to Gartner “More than 80% of legal and compliance leaders tell that third-party risks were identified after initial onboarding and due diligence. Traditional due diligence methods in risk management policy fail to capture new and evolving risks”.


Considering the above data,a structured approach to identify, manage, and mitigate risks arising from third parties becomes mandatory.


Key components of TPRM:


Data- collection, cleaning, organization, validation, and analysis

People- People in the organization who perform risk management, reviewing, monitoring and training

Governance- Management oversight, alignment with operational and business risks,and communication

Process and tools- Policies and procedures, risk management, reporting, metrics, technology solutions


Five steps that will help in reducing risk:


·         Identity- The first step is to understand the third-party ecosystem and

identify the third party and the related risks and

·         Classify-Using a risk-based approach classify risks based on data, system access, and service provided.

·         Assess-Assess the security posture of the third party.

·         Manage risk-Implementing and monitoring appropriate controls for mitigating third-party risks identified and classified.

·         Monitor- The final step is to continuously monitor third parties to ensure they are meeting contractual obligations.


Third-partyrisk management should consider achieving business priorities and security objectives. Third-party risk assessment should be carried out during the vendor management lifecycle.


2 most common TPRM tools are SOC 2 type 2 reports and ISO/IEC 27001 certification audits. An independent auditor evaluatesthe internal controls to see how well a company identifies, assesses, mitigates, and monitors risks. In the context of third-party risk management (TPRM), a SOC 2 can provide a better assurance over the ISO 27001  that your critical vendors are following best practices to protect your data.


How Accedere can help?


Accedere is a global provider of Assurance services for cybersecurity compliance. Accedere is a Colorado CPA firm registered with PCAOB with a focus on Cloud Security and Privacy and listed as an auditor with Cloud Security Alliance (CSA) for their STAR compliance. Accedere is also an ISO / IEC certification body. Accedere helps clients in evaluating the Cyber Governance Maturity as cyber risk is the 3rd biggest risk of doing business today.


Accedere has audited multiple organizations both large and SMB in the cloud space for the past several years and has exceptional capabilities in this space. Accedere helps organizations achieve the CSA’s Level-2 STAR compliance. Accedere also helps in end to end Cloud Supply Chain Assessments, covering container security.


The cyber assurance business is led by Ashwin Chaudhary who is an MBA, and CPA and has certifications in CCSK, CISSP, CISA, CISM, CRISC, CGEIT, and ISO27001LA. For more details on how we can help please contact us at