Vendor Risk Management

Third-Party Risk Management Best Practices for Enterprise

Kim Johnson | October 8, 2019

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

In this cyber risk landscape, any company with sensitive data and third-party connections should build, grow, and maintain a robust third-party risk management (TPRM) program.

Some industries (e.g. healthcare, financial services, utilities) are subject to strict TPRM regulations that vary by region. However, both regulated and unregulated businesses should strive for TPRM maturity in order to protect sensitive data and systems and prevent costly attacks.

In this post, we’ll go over best practices for TPRM at the enterprise level. 

What is third-party risk management?

Third-party risk management is the process of monitoring relationships with vendors and partners in order to assess and mitigate cybersecurity risk. 

TPRM programs involve a number of tools and approaches, and best practices will vary depending on the size of your business and the nature of your industry. However, there are key components of TPRM that every business should follow.

A great place to look for third-party risk management best practices is the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity,” commonly known as the NIST framework

The NIST framework outlines voluntary standards and best practices for managing cyber risk. This framework is the foundation for most emerging cybersecurity regulations.

NIST TPRM Best Practices Explained

The NIST framework refers to third-party risk management as supply chain risk management (SCRM), and identifies five subcategories of SCRM best practices. Here are the five subcategories, and what they mean in practice:

1. “Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.”

This guideline concerns internal buy-in for TPRM. 

In order to build a successful TPRM program, Board members and executives need to be educated on the basics of TPRM so they understand the gravity of third-party risk and can make informed decisions concerning supply chain security. 

Additionally, there must be documented strategies for TPRM that apply to all relevant third parties and all departments. Cybersecurity is not solely an IT issue, and the entire organization contributes to a culture of cybersecurity.

2. “Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.”

In order to perform accurate risk assessments and establish objectives, you need to have an in-depth understanding of the cybersecurity performance of your vendors and partners. This guideline can be broken down into three steps: identify, prioritize, and assess.

Identify — First you have to understand who your third parties are. Don’t rely on any pre-built list; you might have had suppliers come in through “Shadow IT” or other undocumented mechanisms. Create an exhaustive list of every third-party connection to your business.

Prioritize — Once you’ve compiled a list of your third parties, you’ll need to document what data they have access to, the sensitivity of that data, and the level of access they have. This information will help you decide how to prioritize your TPRM resources, with the riskiest vendors getting the most attention.

Assess — Determine your third parties’ cybersecurity performance using a combination of questionnaires, penetration tests, on-site visits, and security ratings. Security ratings are a data-driven, dynamic measurement of 
an organization’s cybersecurity performance (like credit ratings for cybersecurity) that are quickly becoming part of standard TPRM procedure.

3. “Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program.”

TPRM is not an after-the-fact exercise. Procurement should rely on the organization’s established cybersecurity objectives when onboarding new suppliers. If a prospective vendor cannot meet minimum security requirements, they pose too much risk and are not a good fit. 

Furthermore, third-party security should be a contractual obligation. When onboarding a vendor, use quantifiable measurements like security ratings to create an enforceable standard of cybersecurity performance.

4. “Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.”

We’ve already discussed assessments, but the operational word in this best practice is routinely. An initial assessment is not enough to prove that a vendor is secure, so third parties need to undergo frequent evaluation. 

Traditionally, companies have used questionnaires to perform these routine checkups, but these can only provide point-in-time snapshots of cyber risk. As new threats emerge and third-party security performance changes, you need additional assessments to fill in the gaps. Continuous monitoring technology like security ratings can help you ensure that these obligations are being met.

5. “Response and recovery planning and testing are conducted with suppliers and third-party providers.”

Third-party risk can’t be resolved by the enterprise alone — suppliers have their role to play as well. TPRM should be a collaborative effort, and enterprises and third parties must work together to optimize security and prepare for recovery in the event of a breach.

Read more: Collaboration: The Missing Piece in Enterprise Risk Management


Improving cybersecurity is a gradual process, and it takes time, effort, and planning. TPRM in particular is not all-or-nothing — it’s incremental. If you use these best practices as a goal and work toward them, you can mitigate risk and improve your organization’s overall security posture over time.


Security ratings are a great first step on the road to TPRM maturity. Learn how you can take  a more confident approach toward managing third-party risk.

Suggested Posts

Can Your Vendor Assessments Be More Efficient?

If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...


Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


Subscribe to get security news and updates in your inbox.