A Third-Party risk assessment is a critical component of a Third-Party Risk Management program. Without understanding how to properly execute these assessments, the efficiency of your TPRM program will remain limited.
This post provides a detailed six-step guide for performing third-party risk assessments in cybersecurity.
Where does a third-party risk assessment fit in the TPRM lifecycle?
Third-party risk assessments uncover potential security risks from third-party vendors and external parties. This critical requirement continues throughout the entire TPRM lifecycle, with varying applicability across its three primary stages:
- Vendor Onboarding: A high-level third-party risk assessment is conducted at the onboarding stage, with the primary objective of determining whether a new vendor’s risk profile fits within the company’s defined third-party risk appetite.
- Ongoing Monitoring: Once onboarded, third-party vendors undergo periodic vendor risk assessments to track regulatory compliance efforts and ensure new risks are promptly detected and managed throughout each vendor lifecycle. Critical vendors, those processing highly sensitive internal data, undergo the most detailed degree of vendor assessments during the ongoing monitoring phase.
- Offboarding: Third-party risk assessments uncover residual supplier risks of terminating vendor relationships. They are also helpful for finding new cyber risks when renewing
Learn how UpGuard streamlines vendor risk assesments >
Critical third-party vendors must be prioritized in risk assessment programs since their potential cybersecurity risks are more likely to be exploited in cyber attacks.
Full risk assessment vs. partial risk assessment
The scope of a third-party risk assessment depends on the level of criticality of the third-party vendor being investigated. For example, third parties requiring access to sensitive data or those integral to supporting your promised service levels to clients must undergo a higher degree of attack vector investigation.
Such third-party vendors (classified as “Critical” or “High-Risk” in a Vendor Risk Management program) require a full risk assessment, one involving security questionnaires mapping to applicable cybersecurity standards.
For all remaining third-party vendors not requiring access to sensitive regions of your IT ecosystem - those classified as “low-risk” - ongoing monitoring of automated attack surface scanning results will likely be a sufficient form of a risk assessment, also known as a partial risk assessment.
Full risk assessments apply to high-risk vendors and involve security questionnaires. Partial risk assessments apply to low-risk vendors with a degree of risk exposure that can be sufficiently tracked with automated risk scanning results.
Difference between a third-party risk assessment and a security questionnaire
A third-party risk assessment comprehensively evaluates the potential risks associated with each third-party vendor. Multiple data sources are referenced to form a complete picture of a vendor’s risk profile through a risk assessment.
A third-party risk assessment gathers risk insights across the following risk categories:
- Operational Risk: The level of risk a third-party vendor poses to the availability of an organization’s operations.
- Cybersecurity Risk: Any third-party risk impacting the safety and integrity of an organization’s sensitive data.
- Compliance Risk: Vendor-related risks threatening alignment with regulatory standards.
- Financial Risk: Risks originating from vendors that could result in financial issues. These could stem from third-party operational risks and even data breach risks, which could have significant financial consequences—an impact that could be estimated through a process known as Cyber Risk Quantification.
- Reputational Risk: Any threats of reputational damage due to vendor behavior, such as questionable leadership decisions and data breaches.
- Geographic Risk: Any risks associated with a vendor’s location or the location of their data servers.
Security questionnaires are a specific tool within the risk assessment process. They are used to create a gap analysis between a vendor’s security posture and any regulatory requirements or cybersecurity frameworks they need to align with.
Some popular industry standards security questionnaires could map to include:
- NIST Cyber Security Framework (NIST CSF)
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- Sarbanes-Oxley Act (SOX)
- Federal Information Security Management Act (FISMA)
- California Consumer Privacy Act (CCPA)
For more questionnaire template examples, see the list of questionnaires available on the UpGuard platform.
Third-party risk assessments are broad and comprehensive, covering multiple dimensions of risk. Security questionnaires collect information about specific security practices and regulatory compliance efforts.
6-step guide to completing third-party risk assessments
The following six-step guide will help you design the most comprehensive third-party risk assessment process.
Step 1: Identify your “critical” third-party vendors
Every third-party risk assessment process must prioritize critical third-party vendors. Ideally, these vendors should have been already flagged as critical during onboarding.
If you haven’t yet segregated your critical third-party vendors, there are two primary methods of identifying them: relationship questionnaires and superficial attack surface scanning. Both methods encompass the risk assessment process undertaken during the onboarding stage of the TPRM workflow.
Relationshp questionnarie
A relationship questionnaire gathers high-level intelligence about a vendor’s services, data security, and data handling practices.
Here’s a very simplified example of some of the information a relationship questionnaire could cover:
- Vendor Name: ______________________
- Description of Services Provided:: ______________________
- Types of Data Accessed:
- Customer Data [ ]
- Financial Data [ ]
- Health Information [ ]
- Intellectual Property [ ]
- Operational Criticality:
- High [ ]
- Medium [ ]
- Low [ ]
- Regulatory Compliance Requirements
- GDPR [ ]
- HIPAA [ ]
- PCI-DSS [ ]
- History of Data Breaches or Security Incidents:
- No [ ]
- Yes [ ]
- If Yes, please provide details: ______________________
Superficial attack surface scanning
Superficial attack surface scanning, performed during due diligence and onboarding, uncovers likely security risks associated with all domains in a vendor’s attack surface.
This practice is the first stage of a complete cybersecurity discipline known as Attack Surface Management.
Watch this video for an overview of Attack Surface Management:
Additional due diligence data gathering
Collectively, the data gathered through relationship questionnaires and superficial scanning results should provide a minimal level of risk exposure data required to decide which third-party vendor should be flagged as “Critical” and prioritized in risk assessment processes. However, this evidence-gathering process can be improved in terms of efficiency and depth of detail with a tool such as Trust Exchange by UpGuard.
Trust Exchange is a free tool supporting the seamless exchange of third-party security posture data between vendors and their business partners to simplify and expedite third-party risk assessments.
Watch this video for an overview of Trust Exchange.
Get started with Trust Exchange for free >
Example of a completed evidence-gathering process
The following is an example of the type of data that could be collected during the evidence-gathering process.
Not all data collection categories in this list are applicable to all TPRM use cases.
Vendor: XYZ Solutions
- Documentation collected:some text
- SOC 2 Type II Report
- ISO 27001 Certification
- Latest Financial Audit Report
- Vendor’s Security Policies and Procedures
- Security scan:some text
- Vulnerability scan revealed outdated software versions on several servers.
- Questionnaire responses:some text
- Detailed responses to a PCI DSS compliance questionnaire highlighted strong encryption practices but noted a lack of regular employee security training.
- Historical Data Review:some text
- No significant data breaches reported in the past three years.
- A compliance issue was noted two years ago but has since been resolved.
- Stakeholder interviews:some text
- Vendor’s CISO emphasized ongoing efforts to enhance security training programs.
- Internal stakeholders expressed satisfaction with the vendor’s responsiveness and incident handling.
- On-Site Visit:some text
- Observed robust physical security controls, including access controls and surveillance systems in server rooms.
- Noted that some employees were not following documented security procedures, indicating a need for improved internal enforcement.
Step 2: Separate "critical” vendors
Critical third-party vendors should be grouped in a separate category in your Vendor Risk Management platform through a vendor tiering principle.
Vendor tiering is a strategic approach to managing third-party vendors by segregating vendors into distinct tiers of risk. While risk tiering principles are primarily a function of a vendor’s level of access to your sensitive data and their likelyhood of suffering a data breach, they could also be based on third-party relationship importance. For example, vendors critical to supporting your SLAs could be assigned to a high-criticality tier.
Vendor tiering optimizes the allocation of TPRM resources, focusing efforts on where they have the greatest impact - on high-risk vendors with the greatest influence on your security posture.
As a minimum, a vendor tiering structure should consist of three levels:
- Tier 1 (Critical Vendors): Third-party vendors with the highest potential impact on your organization and the greatest operational importance. These vendors require the most rigorous monitoring and risk management processes.
- Tier 2 (Important Vendors): Third-party vendors that are important but not critical. They pose moderate risks and require regular oversight.
- Tier 3 (Low-Risk Vendors): Third-party vendors with minimal impact and low risk. They require basic monitoring and periodic reviews.
Determining tiering levels requires a methodology for estimating risk impact. For support with this effort, refer to this post explaining vendor risk assessment matrices.
Here’s an example 4-stage framework governing a vendor tiering strategy:
- Access to Sensitive Data: Does the vendor have access to personal, financial, or proprietary data?
- Business Continuity Impact: How critical is the vendor’s service to the continuity of your operations?
- Regulatory Compliance: Is the vendor subject to stringent regulatory requirements (e.g., GDPR, HIPAA)?
- Financial Stability: What is the financial health of the vendor?
Here is an example of a completed vendor tiering strategy, with overviews explaining the reasons for each tiering decision.
- Tier 1 (Critical Vendors):some text
- Vendor A: Handles sensitive financial data, which is crucial for payment processing. Subject to PCI DSS.
- Vendor B: Provides critical IT infrastructure services. Significant impact on business continuity.
- Tier 2 (Important Vendors):some text
- Vendor C: Provides marketing services with access to non-sensitive customer data. Subject to GDPR.
- Vendor D: Supplies office equipment. Moderate impact on operations.
- Tier 3 (Low-Risk Vendors):some text
- Vendor E: Provides janitorial services. Minimal impact on business continuity and no access to sensitive data.
- Vendor F: Supplies office stationery. Low risk and minimal impact.
Step 3: Determine which regulations apply to each third-party vendor
In the next step, the focus for critical vendors narrows to the regulatory risk category. Regulatory risks arise from misalignment with regulatory standards, primarily due to poor cybersecurity practices. Compliance with regulations governing your business is directly impacted by the security postures of your vendors, which is why a growing number of regulations are increasing their emphasis on Third-Party Risk Management.
In addition to any regulations governing your business, your third-party vendors could also be required to comply with regulations in their industry. For example, a vendor handling payment processing must comply with the Payment Card Industry Data Security Standard (PCI DSS).
Learn how UpGuard helps financial services prevent data breaches >
Ideally, all of the primary regulations applicable to each third-party vendor will be determined in Step 1 of this process, either via relationship questionnaire submissions or compliance data collected through the Trust Exchange platform. The objective of this step is to ensure that all applicable regulations, whether stemming from the vendor’s industry or your own, are not overlooked.
All regulations impacting a vendor will determine the set of third-party security questionnaires that must be included in their risk assessment.
Each applicable regulation is likely to have specific cybersecurity standards that will need to be scrutinized with dedicated questionnaires. For example:
- PCI DSS Security Questionnaire: For vendors handling payment information, this questionnaire will uncover details about data encryption, access control, and transaction monitoring.
- GDPR Compliance Questionnaire: For vendors processing personal data of EU citizens, this questionnaire will uncover details about data handling practices, consent mechanisms, and data protection measures.
- HIPAA Compliance Questionnaire: For healthcare vendors, this questionnaire uncovers issues relating to the protection of Patient Health Information (PHI).
Learn how UpGuard protects the healthcare industry from data breaches >
Step 4: Identify primary risks associated with each third-party vendor
The risk exposure data gathered up to this point should be sufficient for you to determine the likely risks associated with each vendor and their degree of severity. Remember, this effort doesn’t need to be detailed; the risk assessment performed in the next step should elevate the dimension of cyber risk data to a sufficient level of detail. The purpose of this step is to estimate the likely degree of effort each risk assessment will require.
Example of a draft third-party vendor risk exposure profile
Vendor: ABC Corp
- Operational Risks:some text
- Risk: System failure due to outdated infrastructure
- Likelihood: Medium
- Impact: High
- Mitigation: Regular maintenance and upgrades
- Financial Risks:some text
- Risk: Financial instability due to high debt
- Likelihood: Low
- Impact: Medium
- Mitigation: Financial health monitoring
- Compliance Risks:some text
- Risk: Non-compliance with GDPR
- Likelihood: High
- Impact: High
- Mitigation: Regular compliance audits
- Data/Privacy Risks:some text
- Risk: Data breach due to insufficient encryption
- Likelihood: Medium
- Impact: High
- Mitigation: Implementation of robust encryption protocols
- Reputational Risks:some text
- Risk: Negative publicity from a previous breach
- Likelihood: Low
- Impact: High
- Mitigation: PR management and improved security measures
- Geographic Risks:some text
- Risk: Regulatory changes in operating region
- Likelihood: Medium
- Impact: Medium
- Mitigation: Regular monitoring of local regulations
- Supply Chain Risks:some text
- Risk: Disruption due to subcontractor failure
- Likelihood: Medium
- Impact: High
- Mitigation: Vetting and monitoring of subcontractors
For more examples of high-level vendor risk evaluations in different risk contexts, refer to this post on Vendor Risk Management examples.
Establishing a draft third-party risk exposure profile informs the level of focus of subsequent risk assessment activities.
Step 5: Send third-party risk assessments
Now, you’re ready to send the actual risk assessment. Each risk assessment will include a unique set of questionnaires, depending on the regulatory and industry standards applicable to each third-party vendor.
For a more detailed overview of what’s included in a risk assessment, refer to this vendor risk assessment example.
Watch this video for an overview of the complete risk assessment workflow.
Step 6: Collaborate efficiently with third-party vendors to expedite assessment completion
Inefficient vendor collaboration workflows are among the leading causes of delayed vendor risk assessment, an operational issue that could prolong your exposure to potential third-party breach risks.
Every third-party risk management strategy should be supported by streamlined vendor collaboration workflows, ideally consolidated within your TPRM solution and not dispersed across multiple email chains.
Streamline vendor collaboration is one of the key pillars of a foundationally scalable Third-Party Risk Management program.
Related: Top 8 Third-Party Risk Assessment Software Options in 2024
Collaboration workflows should cater to all parties involved in service provider security questionnaire completions.
Third-party vendor collaborations are primarily required during security questionnaire completions when clarification is needed the most.
Watch this video to learn how UpGuard solves the complex problem of vendor collaboration during questionnaire processes.
