Third-party risk management (TPRM): a practical starter guide
Procurement · 8-min read · Assess a vendor → · updated June 2026
Third-party risk management sounds like a platform you buy. It isn’t — it’s a loop you run: know your vendors, tier them, assess before you onboard, and keep watching. Here’s a version small teams can actually sustain.
The loop
List every supplier with access to your data or systems — SaaS, infrastructure, libraries, sub-processors. You can’t manage risk you can’t see, and shadow IT means the real list is longer than you think.
Rank by data sensitivity and business criticality. A payroll SaaS with PII is tier 1; a marketing widget is tier 3. Tiering tells you how deep to assess — not every vendor needs the same scrutiny.
For each new vendor, run a security questionnaire and pair it with independent checks (known vulnerabilities, exploitation, end-of-life of the actual product). Self-reported answers alone aren’t evidence.
Capture the assessment, the residual risk, who approved it and when. This is what an auditor — and your future self after an incident — will ask for.
Risk isn’t static: new CVEs land, certifications lapse, vendors get breached. Re-assess tier-1 vendors on a cadence and watch for active exploitation in the software they ship.
How deep to assess, by tier
| Tier | Examples | Assessment depth |
|---|---|---|
| 1 — Critical | Handles PII/PHI/payments, or core to operations | Full questionnaire + independent verification + SOC 2/ISO review + re-assess regularly |
| 2 — Moderate | Some data access, recoverable if it fails | Questionnaire + vulnerability check; lighter cadence |
| 3 — Low | No sensitive data, easily replaced | Lightweight check; record and move on |
Turn this into action. A lightweight TPRM program you can actually run: inventory vendors, tier by risk, assess, and monitor — without drowning in spreadsheets.
Assess a vendor — free →Frequently asked questions
What is third-party risk management (TPRM)?
TPRM is the process of identifying, assessing and monitoring the security and operational risk that suppliers, vendors and partners introduce to your organisation. It spans the vendor lifecycle — selection, onboarding, ongoing monitoring and offboarding.
How do I start a TPRM program from scratch?
Start with an inventory of vendors, tier them by data sensitivity and criticality, then assess new and high-tier vendors with a security questionnaire backed by independent verification. Record decisions, and re-assess your most critical vendors on a schedule.
Do I need an expensive TPRM platform?
Not to start. A tiered inventory, a good questionnaire, and independent vulnerability data get you most of the value. IsItPatched gives you a free vendor assessment (questionnaire + verified data) you can use per vendor today.
Why isn’t a questionnaire alone enough?
A questionnaire is self-reported. It tells you what the vendor claims, not whether the software they ship has open critical vulnerabilities, is being actively exploited, or is end-of-life. Pair it with independent software-composition data.
This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.