managing-third-party-vendor-risk
Installation
SKILL.md
Managing Third-Party Vendor Risk
When to Use
- When assessing a new vendor before onboarding, especially one that will handle sensitive data, connect to your network, or be embedded in a critical process.
- When standing up or maturing a third-party risk management (TPRM) program and you need a repeatable tiering + assessment workflow.
- When tiering an existing vendor portfolio so effort matches risk.
- When reviewing vendor evidence — a SOC 2 Type II report, ISO 27001 certificate, CAIQ, or pen-test summary — and you need to know what to look for.
- When writing security and privacy requirements into a contract / DPA, including breach-notification SLAs and right-to-audit.
- When a vendor (or their subcontractor) suffers a breach and you must assess exposure.
- When managing software supply-chain and Nth-party (fourth-party and beyond) risk.
Prerequisites
- A vendor inventory (who you use, for what, and what data/access each has).
- A defined risk-tiering model (criteria and thresholds) agreed with the business.
- Access to standardized questionnaires (Shared Assessments SIG, CSA CAIQ) and a way to collect evidence.
- Clarity on your own regulatory obligations that flow down to vendors (e.g., HIPAA BAAs, CMMC flowdown, GDPR processor terms, PCI).
- Stakeholders identified: procurement, legal, security, data owner, and the business sponsor.