Submit

Third-Party Risk Assessment & Due Diligence

Vendor Risk, TPRM

Structured evaluation of third-party cybersecurity, operational, financial, compliance, and reputational risks before and during the vendor.

Show in tech tree
Requires· 1
Third-Party Inventory & TieringVendor Risk, TPRM
Third-Party Risk Assessment & Due Diligence
Unlocks· 7
Vendor Incident Response & Business ContinuityVendor Risk, TPRM
AI-Powered Risk Assessment AutomationVendor Risk, TPRM
Vendor ESG & Sustainability RiskVendor Risk, TPRM
Third-Party Data Privacy & ComplianceVendor Risk, TPRM
+3 more ↓

Problem class

77% of security breaches over the past three years originated with a vendor or third party (Whistic 2025). Point-in-time assessments using questionnaires alone miss dynamic risks; comprehensive due diligence combines multiple evidence sources.

Mechanism

Risk assessments combine standardized questionnaires (SIG, CAIQ, custom), evidence review (SOC 2 reports, ISO 27001 certificates, penetration test results), external risk ratings, and business-specific criteria into a composite risk score per vendor. Assessment scope scales by tier — critical vendors receive comprehensive assessment, low-tier vendors receive streamlined evaluation. Findings generate risk treatment plans with remediation requirements, acceptance criteria, and escalation thresholds.

Required inputs

  • Standardized assessment questionnaires by risk domain and tier
  • Vendor-provided evidence (SOC 2, ISO certs, pen test results)
  • External risk rating data (SecurityScorecard, BitSight, etc.)
  • Risk appetite thresholds defining acceptable residual risk levels

Produced outputs

  • Composite risk scores per vendor across all assessed domains
  • Risk treatment plans with remediation requirements and deadlines
  • Assessment completion and findings dashboards per tier
  • Due diligence documentation supporting procurement decisions

Industries where this is standard

  • Financial services under regulatory mandates for vendor due diligence
  • Healthcare assessing HIPAA compliance of all data-processing vendors
  • Government agencies under FedRAMP authorization for cloud vendors
  • Technology companies assessing SaaS supply-chain security posture
  • Critical infrastructure operators under NIS2 supply-chain requirements

Counterexamples

  • Sending 300-question assessments to every vendor regardless of tier overwhelms vendors and assessors alike; 48% of organizations have only 1–2 FTEs dedicated to TPRM.
  • Accepting SOC 2 Type II reports without reading the exceptions and testing methodology treats certification as a compliance checkbox rather than a risk evidence source.

Representative implementations

  • SecurityScorecard's 2025 report found 35.5% of breaches linked to third-party access, validating comprehensive assessment as a critical risk-reduction capability.
  • Verizon 2025 DBIR reports 30% of data breaches involved a third-party supplier, double the percentage from the previous year, underscoring assessment urgency.
  • OneTrust Third-Party Risk Management platform reduced assessment cycle time by 60% for enterprise customers through automated evidence collection and workflow orchestration.

Common tooling categories

Risk assessment platforms, questionnaire management engines, evidence collection portals, and risk scoring algorithms.

Share:

Maturity required
Medium
acatech L3–4 / SIRI Band 3
Adoption effort
Medium
months, not weeks
Departments
Vendor Risk, TPRMprimaryProcurement, Supply ChainInformation Security & CyberLegal, Compliance, Risk, ESG