What's Inside

We know how complex and time-consuming third-party questionnaires can get, but there are ways to automate it and the broader TPRM processes.

Whether you represent a service organization or a customer organization in this context, the challenges that come with TPRM questionnaires can, in most cases, be reduced by having clear processes and objectives, using bespoke questionnaires, and leveraging the right software and automation.

This article explores several best practices for simplifying the TPRM questionnaire while keeping it an essential step in helping an organization identify and reduce its third-party risks.

TPRM questionnaires are a piece in the larger puzzle of a company’s third-party risk management strategy. The strategy may outline the organization’s approach toward new relationships in the context of risk management. As such, it sets the direction for managing a wide number of risks specific to third parties, such as concentration (i.e. heavy dependency on one supplier), regulatory concerns, information security, vendor lock-in, and others.

Your TPRM questionnaire is not merely a compliance exercise—it may trigger new vendor requirements or shift organizational decision-making. Its results should enable decisions that are in line with the TPRM strategy.

In the end, you are using TPRM questionnaires to control third-party risks. The earlier these questionnaires are launched, filled in, and assessed, the earlier you can address any identified risks for your business.

Define and Implement a Process for Third-party Risk Assessment

Third-party risk assessments are one of today’s daily realities for most companies. Having a process and working toward its optimization offers plenty of benefits, such as a standardized approach, clear roles and responsibilities, and indication of applicable actions for each step. 

Here are some specific aspects of implementing the third-party risk assessment process.

Apply the process consistently across the organization

It’s great to have all IT&C outsourcing in the main HQ going through the process, but is anything falling through the cracks? Is there any shadow IT or process “fast-tracking” occurring in some offices or departments? Are there any types of services that are excluded from the process—not through a specific decision but as a silent belief that they should be? 

For example, should the new cafeteria supplier undergo a risk assessment if they are not using the company systems? Well… First, risks are not only related to systems—the cafeteria staff will see and hear all employees. Second, what if the cafeteria supplier comes up with a nice lunch booking system for your employees? Will that trigger a risk assessment, or will no one think of it?

Specify roles and responsibilities

Roles may be split into owners (business members), assessors and advisors (compliance, DPO, security, and legal), and administrators (the procurement/vendor management team). Responsibilities in the process should be communicated and applied.

Indicate time and frequency

As with many processes, the earlier it starts, the better. Ideally, the risk assessment process should be triggered in the early stages of a project. 

The TPRM questionnaire can come in once potential vendors are preferred for an engagement. Doing this before signing a contract is crucial to not defeat the purpose of the assessment. 

Repeating assessments may depend on the vendor’s criticality (see the following best practice), a major change in their environment, or new regulatory requirements.

Elaborate on risk assessment tools and techniques

The risk assessment process is much more than the questionnaire—each company has a different combination of tools that enable this process. Their aggregated results aim to show a complete picture of risks. Some of these tools and techniques, besides the TPRM questionnaire itself, include:

• A business impact analysis (BIA)

• A privacy impact assessment (PIA)

• Vendor legitimacy / know-your-supplier (KYS) checks

• Threat intelligence / security scorecards

Determine the Criticality of Each Third Party

You can catalog your vendors into specific categories using various methods—such as “tier 1/2/3,” “critical/important/nonessential,” or “material/nonmaterial”—based on your needs and compliance requirements. If you haven’t done this yet, it’s time to start.

Distinguishing how important certain vendors are for your business has some strong benefits. Efforts to manage third-party relationships can be more efficient if they are focused in the most important directions. This includes risk assessments, contract requirements, service monitoring, and determining whether exit strategies are needed or not.

Furthermore, in certain industries—such as finance—multiple regulations require institutions to have a vendor inventory divided between “material” and “nonmaterial,” along with the rationale for each classification.

The TPRM questionnaires can be simpler or more complex depending on the category. It’s extremely important that the questionnaire for your critical suppliers be complemented by strong evidence attesting to the veracity of answers. 

For instance, migrating your infrastructure to a managed service provider (MSP) will likely be the most complex assessment your company goes through. You may need to:

• Ask for the vendor’s most recent SOC 2 Type II report and scrutinize any findings.

• Ask for the latest penetration test results and raise concerns on any identified “critical” or “high” vulnerabilities.

• Review their information security policies and network diagrams.

• Do an on-site assessment or even conduct your own audit (directly or through another third party).

• Conduct extensive discussions with the vendor about critical aspects of integration to ascertain technical readiness.

Customize Questionnaires by Type of Service

A further step in customization is focusing on the relevant questions for each type of service. This comes on top of your standard questions and areas of concern. If something is not relevant, the vendor will inform you.

For example, your “off-the-shelf” SaaS provider can receive extra questions on API security and capabilities, while your office network provider can have sections on equipment setup, configuration, maintenance, and incident management. While these already sound like they could be part of the requirements phase, it’s a good idea to ascertain their general readiness for the things you are actually planning to contract them for.

It’s also a good idea to use frameworks here—get familiar with those relevant to you and use applicable requirements to help you with your questions. For instance:

• CSA’s Cloud Security Matrix is brilliant for any cloud service, covering data center requirements, virtualization, integration and portability, and shared responsibilities. Here, you can find a baseline for your TPRM questionnaire and later requirements.

• AICPA’s Trust Services Criteria work for any service organization. Don’t forget to ask for the vendor’s SOC2 report—those in good shape will be proud to share it. As this report provides an attestation of the vendor’s control environment (issued by an accredited third party), it can replace a good part of your questionnaire that relates to operational controls.

• ISO’s 27001:2022 standards can be utilized to draw questions related to organizational, people, physical, and logical controls. Use it with confidence to design questions about how vendors are ensuring the security of information in transit or managing their vulnerabilities.

• The EU GDPR, the strongest act regulating personal data protection, can be used to design the PIA or add personal data processing questions in the TPRM questionnaire. If available, the vendor can also provide GDPR compliance documentation.

Assess and Communicate the Questionnaire Results

If the results show a good posture that corresponds to your company’s expectations, great! But there will be cases where a key policy is missing, a security practice is not good enough, or a network protocol is below your company’s standard. We recommend the following steps.

Verify your findings with the vendor 

Check with the vendor to ensure that you have the right understanding and that no information was missed. More information may reveal that there are compensating controls in place on the roadmap, the answer was not accurate, or the question was misunderstood.

Put the final information into context

A vendor may not have invested in security certifications, but do you need them if they will not process any of your sensitive information? Tie this back to the objectives of your questionnaire and take appropriate action according to your vendor's criticality.

Raise any concerns

Your observations should be communicated to interested parties based on the defined process (e.g., contract owner, information asset owner, technology manager, or procurement). The risks of the identified deficiencies or vulnerabilities should be discussed, and the organization should provide a risk response in line with the company’s risk appetite. For example:

• Risk avoidance: You may decide not to enter into a contractual agreement with the vendor.

• Risk mitigation: The vendor can be asked to remediate the deficiency within a certain timeline. Meanwhile, the customer company may limit the amount and type of data processed by the third party.

• Risk acceptance: You might decide that the risk is acceptable. This decision should be documented and owned, and the risk evolution should be monitored.

Monitor the Vendor Lifecycle

Even though the TPRM questionnaire is predominantly used before onboarding a vendor, any major events should trigger a new risk assessment, potentially including a targeted questionnaire. 

For example, let’s take a look at IT activity outsourcing. You may have a strategic partner that manages your helpdesk, IT infrastructure, and even development activities. What if you want to add cybersecurity services to the mix? You would need to know the costs and transition timelines and also assess the following:

• Capacity and performance: Can the vendor ensure quality of service and meet all of your SLAs?

• Competence: Does the vendor have adequately trained staff to perform cybersecurity activities for you, such as incident management, forensics, and threat hunting?

• Integration: Does the new tooling meet your standards? Can it fulfill its purpose in your network environment?

• Data protection: Will your company data be processed in jurisdictions different from the ones where it has been so far?

• Supply chain: Will the third party outsource the service provided to you? If so, an individual assessment and TPRM questionnaire should be launched for the company to assess associated risks.

A vendor termination may trigger another type of questionnaire or checklist, focused on data migration options. This can be part of a vendor exit plan, especially for critical third parties.

Automate Third-Party Risk Management (TPRM) Compliance

These days, there is no escape from having an extensive third-party portfolio. Managing it requires well-thought-out automated tasks. When it comes to TPRM questionnaires, you should be able to do the following:

• Design and launch TPRM questionnaires and assessments that vendors can access directly without the need to use potentially unsafe channels such as emails and file-sharing services.

• Collect, store, and access artifacts any time you need them and have a central repository for all TPRM evidence accompanying the questionnaires.

• Trigger new assessments on predefined timelines according to vendor criticalities or lifecycles.

• Monitor compliance with dashboards that show you completeness data.

• Connect the risk register to raise risk flags in the case of unsatisfactory questionnaire results.

• Select applicable controls for the third party based on your risk assessment.

Solutions like Drata can provide this and much more. Customize your workflows as needed to run an efficient and compliant TRPM process.

How Reliable Is a Third-Party Risk Management Questionnaire?

A TPRM questionnaire’s reliability depends on more factors:

• The suitability of the questionnaire for the vendor and its service. If the questionnaire is solid and tailored appropriately, it’s a good basis for your assessment. However, if it fails to ask the right questions or misses a critical area—anyone “forgetting” about physical security nowadays?—it may have some loopholes.

• The extent to which your questionnaire requires evidence. The questionnaire should not be limited to answering questions, especially for a critical vendor. For example, one question may ask: “Do you have a SOC 2 Type II report that covers the past year? If so, please share it.” This way, the questionnaire can be corroborated with evidence and make up a more comprehensive view of the vendor’s security posture.

• The vendor’s legitimacy and ethics. Finally, when trying to make a good business deal or when considering the TPRM as just a formality, the questionnaire answers may display a better reality. A crucial part of vendor due diligence is ensuring you are engaging in a trustworthy relationship. This process is known as “know your supplier (KYS)” and aims to detect any red flags related to authenticity, reliability, and compliance.

Mid-sized companies may have thousands of vendors connected to their environments, while large enterprises can reach hundreds of thousands. With such an extensive supply chain come just as many business risks, so it’s imperative to take all available precautions before onboarding a new third party.

The TPRM questionnaire is a universally used tool that, in combination with other tools and techniques, helps paint a picture of just how secure your new or existing supplier is. Using it early in the risk assessment process and regularly based on the vendors’ criticalities helps you stay aware of third-party risks and enables you to respond to them as needed.