managing-third-party-vendor-risk

Installation
SKILL.md

Managing Third-Party Vendor Risk

When to Use

  • When assessing a new vendor before onboarding, especially one that will handle sensitive data, connect to your network, or be embedded in a critical process.
  • When standing up or maturing a third-party risk management (TPRM) program and you need a repeatable tiering + assessment workflow.
  • When tiering an existing vendor portfolio so effort matches risk.
  • When reviewing vendor evidence — a SOC 2 Type II report, ISO 27001 certificate, CAIQ, or pen-test summary — and you need to know what to look for.
  • When writing security and privacy requirements into a contract / DPA, including breach-notification SLAs and right-to-audit.
  • When a vendor (or their subcontractor) suffers a breach and you must assess exposure.
  • When managing software supply-chain and Nth-party (fourth-party and beyond) risk.

Prerequisites

  • A vendor inventory (who you use, for what, and what data/access each has).
  • A defined risk-tiering model (criteria and thresholds) agreed with the business.
  • Access to standardized questionnaires (Shared Assessments SIG, CSA CAIQ) and a way to collect evidence.
  • Clarity on your own regulatory obligations that flow down to vendors (e.g., HIPAA BAAs, CMMC flowdown, GDPR processor terms, PCI).
  • Stakeholders identified: procurement, legal, security, data owner, and the business sponsor.
Installs
3
GitHub Stars
24.8K
First Seen
12 days ago
managing-third-party-vendor-risk — mukul975/anthropic-cybersecurity-skills