Reading time: ~6 min
You’ve decided to structure the way you manage risks from your vendors and suppliers. Good. But in front of you: a list of 150 providers, contracts that haven’t been reviewed in years, and no formal process in place. Where do you start without drowning?
Here’s the method I use to build an operational TPRM programme — even when starting from zero.
Why TPRM has become non-negotiable
Most significant security incidents in recent years involve a third party: a compromised IT provider, a subcontractor with overly broad access, a SaaS vendor with no serious encryption policy.
NIS2, DORA, ISO 27001 — all of these frameworks now require you to demonstrate that you control your exposure through your partners. This is no longer an optional best practice. It’s a regulatory requirement.
The 5 building blocks of a solid TPRM programme
Block 1 — Map your existing vendors
Before any assessment, you need to know who is in scope. The goal: build an exhaustive list of your third parties, noting for each one the type of access they hold (data, IT systems, physical premises) and their business criticality. This mapping is the foundation of everything else. Without it, you’re assessing in a vacuum.
Block 2 — Define a risk classification framework
Not all vendors deserve the same level of scrutiny. I work with 3 tiers: critical (access to production systems or sensitive data), sensitive (partial or occasional access), standard (no direct access to critical assets). This classification determines the depth of assessment and the review frequency for each vendor.
Block 3 — Build a proportionate assessment process
The classic mistake: an 80-question questionnaire sent to every supplier, which ends up being ignored. The right approach: a short, targeted questionnaire (10 to 15 questions) for standard vendors, and a structured interview plus document review for critical ones. The assessment process must be sustainable over time — otherwise it simply won’t happen.
Block 4 — Embed TPRM into your contractual processes
A TPRM programme without contractual grounding remains cosmetic. Security requirements must be integrated from the vendor onboarding stage, with clear clauses covering: audit rights, incident notification, and subcontracting commitments. That’s when you have leverage — not after the contract is signed.
Block 5 — Set up continuous monitoring
An initial assessment is just a snapshot. A vendor can change its policies, be acquired, or suffer an incident. Continuous monitoring means, at minimum: an annual reassessment of critical vendors, alerts on major public incidents, and tracking of certifications (ISO 27001, SOC 2) approaching expiry.
Where to start concretely
If you’re starting from scratch, here’s the sequence I recommend:
- Weeks 1–2 — Map your vendors and classify them by criticality level.
- Weeks 3–4 — Prioritise assessment of your 5 to 10 critical vendors. That’s where risk is concentrated.
- Month 2 — Document the process, build questionnaire templates and risk summary sheets.
- Month 3 — Integrate security clauses for new vendors. Schedule reassessments for existing ones.
Want to build your TPRM programme without spending 6 months on it?
I help SMEs and mid-sized companies structure their third-party risk management quickly and operationally. Get in touch and we’ll assess your situation together — no commitment required.