← Glossary·Risk

Vendor / Third-Party Risk Management (TPRM)

SOC 2ISO 27001HIPAAGLBA

Process for assessing, monitoring, and contracting security risk introduced by third parties.

Third-Party Risk Management (TPRM) is the lifecycle process for evaluating and monitoring security, privacy, and operational risk introduced by vendors. Typical artefacts: tiering matrix, due-diligence questionnaire (SIG, CAIQ), SOC 2/ISO 27001 review, ongoing monitoring, exit plan.

Why it matters
Target 2013 (Fazio Mechanical), MOVEit 2023 — supply-chain breaches are now responsible for the majority of large-loss incidents. Regulators expect documented vendor lifecycle.

Related terms

SIG Questionnaire
Shared Assessments' standardised vendor security questionnaire (Core, Lite, custom).
CAIQ
Cloud Security Alliance's standardised cloud-provider security questionnaire (aligned to CCM).
Risk Assessment
Structured identification, analysis, and evaluation of risks to assets, processes, or data.

Does your program actually cover Vendor / Third-Party Risk Management (TPRM)?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary