Third-Party Risk Management: Beyond the Security Questionnaire

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Third-party risk management programs in most organizations consist of an annual questionnaire sent to vendors, a spreadsheet tracking whether vendors have returned it, and a checkbox on an audit finding. The questionnaire is completed by whoever the vendor assigns to it, the answers are unverified, and the program produces documentation that says "vendor security assessed" without providing evidence that the vendor is actually secure. When a vendor is breached and the organization is affected, the program provides no advance warning, no contractual recourse mechanism, and no incident response integration. This guide is about building a TPRM program that functions as a genuine control, not just a compliance artifact.
The Questionnaire Theater Problem
The Standardized Information Gathering (SIG) questionnaire from Shared Assessments runs to more than 800 questions across 20 security domains. Completing the full SIG takes days; verifying the answers takes longer. Most organizations send a version of this questionnaire to hundreds of vendors and have a team of one or two analysts to manage the program. The math does not work: the program is designed for its own failure.
The completion of a security questionnaire proves only that the vendor has a person who can fill out a questionnaire. It does not prove that the vendor's systems are secure, that the answers are accurate, that the controls described are actually implemented, or that the implementation quality is adequate. Vendors routinely answer "yes" to questions about controls they do not have, because the questionnaire is checkbox compliance theater for them too. Vendors without security resources answer questions based on what they think the correct answer should be, not what their environment actually looks like.
The 2020 SolarWinds breach is the canonical example of why questionnaire-based TPRM fails. SolarWinds would have answered security questionnaires correctly. They had SOC 2 Type II certifications. They had documented security policies and procedures. None of this prevented the build system compromise and supply chain attack that affected 18,000 organizations. The questionnaire measures documented intention; it does not measure actual security posture.
Effective TPRM is built on a different premise: verification over assertion, continuous signals over point-in-time snapshots, and risk-proportionate effort over uniform coverage. The questionnaire has a role, but it is one input in a broader process, not the process itself.
Vendor Tiering: The Foundation of Proportionate Risk Management
The core design principle of an effective TPRM program is that not all vendors deserve the same level of scrutiny. A vendor that has administrative access to your production cloud environment with access to customer PII is categorically different from a vendor that sells you office supplies. Applying the same assessment process to both is the reason TPRM programs collapse under their own weight.
A four-tier model based on three dimensions provides a practical framework. The dimensions are: data sensitivity (what categories and volume of data the vendor accesses), access type (network access to production systems, administrative credentials, code or build pipeline access, or no direct technical access), and business criticality (how severely business operations would be disrupted if the vendor became unavailable or was compromised).
Tier 1 (Critical): vendors with production system access, access to large volumes of sensitive data (PII, financial data, health data), or code/build pipeline access. These vendors represent the highest blast radius. Examples: cloud infrastructure providers, identity providers, code repositories, security tools with endpoint or network access, payroll processors, core banking systems. Assessment depth: annual in-depth technical assessment, SOC 2 Type II review, penetration test report review, architecture review, contractual right to audit.
Tier 2 (High): vendors with meaningful data access or significant business criticality but not production system access. Examples: CRM platforms, analytics tools with customer data, HR systems, major SaaS productivity tools. Assessment depth: annual review of SOC 2 Type II, questionnaire with evidence requirements, contractual security requirements.
Tier 3 (Medium): vendors with limited data access, no production system access, and moderate business criticality. Examples: marketing tools, collaboration platforms, project management tools. Assessment depth: biennial review, lighter questionnaire, review of publicly available security documentation.
Tier 4 (Low): vendors with no data access, no system access, and low business criticality. Examples: physical goods suppliers, facility services, non-software vendors. Assessment depth: basic registration questionnaire, contract security clauses, no ongoing security review required.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Tier 1 Vendor Assessment: What Rigor Actually Looks Like
A rigorous Tier 1 assessment is qualitatively different from an enhanced questionnaire. It incorporates multiple evidence sources, involves technical verification, and produces a risk-differentiated opinion rather than a pass/fail binary.
SOC 2 Type II report review is the starting point. A Type II report covers a defined period (typically 6 or 12 months) and attests that specified controls were not only designed appropriately but operated effectively over that period. The critical practice is actually reading the report, not just collecting the certificate. In the SOC 2 report, look at: the scope of the audit (which services and environments are in scope), any qualified opinions or exceptions noted by the auditor, the description of the complementary user entity controls (controls the vendor expects you to implement), and the management's response to any exceptions. A SOC 2 with multiple exceptions is a different security story than a clean Type II, even though both exist as "SOC 2 certified."
Penetration test report review provides insight into the vendor's actual security posture that SOC 2 does not. Ask for the executive summary and findings list from their most recent annual penetration test. The key questions: how old is the report (more than 18 months is concerning for a Tier 1 vendor), how many critical and high findings were identified, and are the findings remediated (with evidence)? A vendor who refuses to share any penetration test results, even under NDA, is sending a signal about their confidence in their own security posture.
Architecture review involves working with the vendor's technical team to understand how they handle your data: where it is stored, how it is encrypted at rest and in transit, how access is controlled, how it is separated from other customer data, and what their incident detection and response capabilities look like. This conversation often surfaces design assumptions that questionnaires miss. Reference checks with existing customers of the vendor (particularly those in your industry) can provide candid assessments of the vendor's security responsiveness and the quality of their breach notification practices.
Continuous Technical Monitoring for Third-Party Risk
A point-in-time assessment, however thorough, reflects the vendor's security posture on the day of the assessment. The vendor's posture changes continuously: new vulnerabilities are discovered, security configurations drift, employees who maintained critical controls leave, and infrastructure changes introduce new exposure. Continuous technical monitoring provides ongoing signals about vendor security posture between formal assessments.
Attack surface monitoring services (SecurityScorecard, Bitsight, IONIX, RiskRecon) continuously scan vendor infrastructure from an external perspective and generate risk scores based on observable signals: exposed ports and services, certificate health, vulnerability disclosure indicators, web application security headers, DNS configuration, and data breach intelligence. These scores are imperfect; they reflect what is observable from the internet and miss internal control quality. But they provide an early warning system for observable security degradation that supplements periodic assessments.
For Tier 1 vendors, configure monitoring alerts on significant score degradation. A vendor whose SecurityScorecard drops 20 points in two weeks warrants an inquiry. The inquiry process should be documented: a standard outreach email asking the vendor to explain and address the specific findings driving the score decline, with a timeline for response. The vendor's responsiveness to these inquiries is itself a signal of their security maturity.
Typosquat monitoring for vendors with access to your domain or code repositories addresses a different threat: a threat actor registering a domain similar to your vendor's domain and using it for email impersonation, spear phishing, or malicious package distribution. If you have a critical vendor at example-vendor.com, registering alerts on domains like examp1e-vendor.com, example-venddr.com, and example-vendor.net costs almost nothing and provides early warning of targeted phishing infrastructure.
Breach notification services (HaveIBeenPwned API, SpyCloud, Recorded Future, Flare) provide alerts when credentials or data from organizations you monitor appear in data breach collections. Alerting on employee email address appearances from your Tier 1 vendor domains gives you advance warning of credential exposure that could be leveraged against systems they manage for you.
Contractual Security Requirements
Technical controls are necessary but not sufficient for TPRM. Contractual security requirements create legal obligations that define what the vendor must do, what they must tell you when something goes wrong, and what remedies are available if they fail. Most vendor contracts have inadequate security provisions; negotiating better terms is a legitimate and effective TPRM activity.
The right to audit clause allows the organization to conduct or commission a security assessment of the vendor, subject to reasonable notice requirements. Most vendors push back on audit rights, but a modified version is usually achievable: the right to request and review the most recent SOC 2 Type II report, penetration test results, and security policies, with the vendor committed to responding within a defined timeframe. For highest-criticality vendors, negotiate the right to conduct a questionnaire-based assessment annually and an on-site or virtual technical assessment every two to three years.
Breach notification SLA defines the maximum time from breach discovery to notification of your organization. The regulatory floor under GDPR is 72 hours to supervisory authority notification, but vendor-to-customer notification is often contractually undefined. Negotiate a specific notification timeframe (24 to 48 hours from vendor discovery for Tier 1 vendors) and define what the notification must include: the nature of the incident, the data categories and volumes potentially affected, the systems involved, and the remediation steps in progress.
Subprocessor notification requirements address your vendor's use of fourth parties. A vendor who processes your data has subprocessors (their own vendors) who may also handle your data. The contract should require the vendor to notify you before adding new subprocessors, provide you with an up-to-date subprocessor list on request, and commit that subprocessors are bound by security obligations at least as stringent as the main contract. This is standard language in GDPR Data Processing Agreements and should be standard in all vendor contracts for data-processing relationships.
Data deletion and return on termination requires the vendor to provide a complete export of your data within a defined period of contract termination and to certify deletion of all copies from their systems within a defined period after the export is provided. Without this clause, your data may persist indefinitely in the vendor's environment after you stop using their service.
SaaS Shadow IT Discovery
The four-tier vendor inventory described above assumes you know which vendors your organization uses. In practice, employees procure SaaS applications independently, outside IT procurement processes, at a rate that makes centralized SaaS inventory unreliable within months of creation. Shadow IT research consistently finds that the number of SaaS applications in actual use is three to five times the number that IT has approved.
Cloud Access Security Broker (CASB) and Security Service Edge (SSE) tools provide visibility into shadow IT by inspecting web and network traffic. Deployed as a proxy or via API integration with SSO providers, tools like Netskope, Zscaler Internet Access, Lookout, and Microsoft Defender for Cloud Apps catalog every SaaS application that employees access, classified by category and risk score. For each discovered application, they show the number of users, data upload/download volumes, and an assessment of the application's security controls based on its CASB risk profile.
The shadow IT discovery output is a long tail of applications with widely varying risk profiles. A common finding is that employees are using personal file-sharing services (personal Dropbox, Google Drive personal accounts) to share work files that the organization considers sensitive. Another common finding is that teams have subscribed to SaaS tools in categories where the organization has an approved alternative, creating redundant data stores and bypassing data governance controls.
The output of shadow IT discovery feeds directly into the TPRM program. Applications discovered that meet the criteria for Tier 2 or Tier 3 need to be either assessed and formally approved, migrated to an approved alternative, or blocked. The CASB/SSE tool provides the blocking capability: once a policy is established that defines approved and blocked applications, traffic to blocked applications can be intercepted and redirected with an explanation page. The discovery process is iterative; new shadow IT applications appear continuously, so the discovery and triage cycle needs to run continuously rather than as a one-time project.
Supply Chain Code Risk and SBOM Requirements
Software supply chain risk is a distinct TPRM domain that emerged as a major concern following the SolarWinds and Log4Shell incidents. Organizations that consume software from third-party vendors are exposed to vulnerabilities not only in the vendor's own code but in all of the open-source and commercial dependencies that the vendor's software includes.
Software Bill of Materials (SBOM) is the mechanism for making software dependency exposure visible. An SBOM is a machine-readable inventory of all components included in a software product, analogous to an ingredients list on food packaging. The two dominant SBOM formats are SPDX (Software Package Data Exchange, maintained by the Linux Foundation) and CycloneDX (maintained by OWASP). Both formats can be generated by open-source and commercial software composition analysis (SCA) tools integrated into the vendor's CI/CD pipeline.
For Tier 1 vendors that provide software you run in your environment (on-premises or self-hosted), add SBOM provision as a contractual requirement. The vendor must provide an SBOM in SPDX or CycloneDX format with each software release, and must notify you within a defined timeframe when a component in the SBOM has a newly disclosed critical vulnerability. This is increasingly a regulatory requirement (US Executive Order 14028 requires SBOMs for software sold to the federal government) and is becoming a standard commercial expectation for enterprise software procurement.
For SaaS vendors where you do not run the software yourself, SBOM provision is less actionable because you cannot patch the vendor's dependencies. What you can do is ask about the vendor's software composition analysis program: do they run SCA tools in their build pipeline, do they have a defined SLA for patching critical vulnerabilities in open-source dependencies, and do they have a vulnerability disclosure program. The answers distinguish vendors who actively manage their dependency risk from those who do not.
Fourth-Party Risk and Supply Chain Flow-Down
Your TPRM program manages your organization's direct vendor relationships. But your Tier 1 vendors have their own vendors, and a breach of one of those fourth parties can have the same impact on your organization as a breach of the vendor directly. Fourth-party risk is the hardest dimension of TPRM to manage because you have no direct relationship with the fourth party and limited visibility into who they are.
The contractual approach to fourth-party risk is flow-down requirements. Your vendor contracts should include a provision requiring the vendor to impose security obligations on their subprocessors that are at least as stringent as the obligations the vendor has to you. This creates a contractual chain from your organization to the vendor to the fourth party. In practice, enforcement is difficult; you cannot audit a fourth party whose identity you may not even know without the vendor's cooperation. But the contractual obligation creates accountability and a basis for remediation if a fourth-party breach occurs and you can show the vendor failed to impose adequate requirements on their subprocessor.
For the highest-criticality vendors, request an annual subprocessor list and review it for concentration risk. If three of your Tier 1 vendors all use the same cloud provider, the same CDN, or the same identity management tool, a compromise of that shared dependency creates simultaneous exposure across all three. This concentration risk is difficult to eliminate but important to understand for incident response planning.
Threat intelligence feeds that track supply chain compromises can provide early warning of fourth-party incidents. When a commonly used SaaS vendor, cloud provider, or software library discloses a breach or vulnerability, your TPRM program should have a mechanism to quickly assess which of your direct vendors use that component and what your downstream exposure is. This assessment capability requires maintaining the subprocessor lists and SBOM data described earlier; without them, the assessment is guesswork.
Vendor Incident Response Integration
When a critical vendor has a breach that potentially affects your organization, you need to respond faster and more effectively than you would if you were discovering the vendor relationship for the first time during the incident. Pre-defined playbooks and pre-exercised coordination processes make this possible.
The vendor incident response playbook should define: who is the first contact at your organization when a vendor breach notification arrives (typically the TPRM program owner, who escalates to CISO and legal), how quickly you initiate contact with the vendor to understand the scope, what the criteria are for invoking emergency vendor access isolation, who is authorized to isolate vendor access and how quickly it can be done, and what data and system access assessments need to be completed within the first 24 hours.
For Tier 1 vendors, maintain a documented map of the access they have: network access from what IP ranges, credentials stored in what systems, data stored in what locations, integrations with what internal systems via API or file transfer. This map should be in the incident response runbook, not in someone's head. When a breach notification arrives at 2am, the on-call engineer needs to be able to assess exposure and take containment action without waiting for a subject matter expert to come online.
Access isolation for vendor integrations should be a documented and tested procedure. If a critical SaaS vendor is compromised, can you revoke their API access tokens within 15 minutes? Can you block their IP ranges at the perimeter firewall? Can you disable the service account they use for data integration? Test these isolation procedures annually, because the integration points change as the vendor relationship evolves and the runbook may become stale.
TPRM Program Metrics That Show Real Risk Reduction
TPRM metrics must demonstrate real risk reduction, not process compliance. Metrics that show how many questionnaires were sent and returned are activity metrics. The metrics that matter show whether the program is actually reducing third-party risk exposure.
Vendor coverage rate by tier is the baseline measure: what percentage of Tier 1 vendors have a current (less than 12 months old) completed assessment, and what percentage of Tier 2 vendors have a current assessment. This metric should be close to 100 percent for Tier 1 and tracked against a defined target for Tier 2. Coverage rate below 80 percent for Tier 1 indicates the program does not have adequate capacity for its defined scope and the tier-1 vendor list should be audited for accuracy.
Mean time from vendor onboarding to assessment completion measures how quickly new vendor relationships are assessed. A long mean time (more than 60 days for Tier 1) indicates that vendor assessments are being bypassed during procurement and catching up retroactively. The program should be integrated into the procurement process so that Tier 1 vendor assessments are completed before the vendor is granted access to production systems.
Percentage of Tier 1 vendors with current SOC 2 Type II tracks whether your highest-risk vendors are maintaining their compliance posture. A vendor that had SOC 2 coverage last year but has not completed a new audit is a signal worth investigating; audits can lapse for many reasons, some of which are benign (audit timing change) and some of which are not (the vendor could not pass the audit).
Number of vendor security incidents per quarter tracks actual adverse events: breaches at vendors affecting your data, unauthorized access through vendor integrations, malicious code in vendor software. Tracking this metric requires a definition of what constitutes a reportable vendor security incident and a process for logging and reviewing them. Trends in this metric over time show whether the TPRM program is actually reducing the frequency of harmful vendor security events.
The bottom line
A TPRM program that consists of annual questionnaires is a liability, not an asset: it provides false confidence to leadership that vendor risk is managed while providing no actual protection against the third-party breaches that account for the majority of major security incidents. The program described in this guide requires meaningful investment in tiering, assessment capacity, monitoring tooling, and contractual negotiation. That investment is justified by the reduction in a risk category that has become the single most common source of serious data breaches for enterprise organizations. The question is not whether third-party risk management is worth investing in; the question is how long an organization will continue to pay for the theater version before investing in the real one.
Frequently asked questions
How do you prioritize TPRM assessment work when you have hundreds of vendors?
Apply the four-tier model rigorously and focus assessment resources on Tier 1 and Tier 2 vendors exclusively. Most organizations find that Tier 1 represents 5 to 10 percent of their vendor population and Tier 2 represents 15 to 20 percent. The remaining 70 to 80 percent of vendors are Tier 3 or Tier 4 and require minimal ongoing assessment effort. If your Tier 1 list has more than 20 to 30 vendors, it is likely miscategorized; challenge each Tier 1 classification against the access type and data sensitivity criteria. Over-classification of vendors as Tier 1 is one of the most common ways TPRM programs become unmanageable.
What contractual security clauses have the most practical impact in vendor agreements?
Ranked by practical impact: first, breach notification SLA with a defined timeframe (24 to 48 hours for Tier 1 vendors) and specific content requirements. Second, data deletion certification on termination with a defined timeline and written certification requirement. Third, subprocessor change notification, which gives you visibility into fourth-party risk changes. Fourth, the right to request and review security documentation (SOC 2, penetration test summaries) annually. Fifth, audit rights (even if limited to documentation review rather than on-site assessment). The breach notification clause has the highest immediate incident response value; the documentation review right has the highest ongoing assurance value.
What is the most effective tool for discovering shadow IT SaaS usage?
CASB/SSE tools (Netskope, Zscaler Internet Access, Microsoft Defender for Cloud Apps) provide the most comprehensive discovery when deployed as a proxy or with network visibility. If full CASB deployment is not feasible, a lighter approach is to analyze DNS query logs or proxy logs for domains associated with SaaS services, correlate against an SaaS domain database (many threat intelligence providers include SaaS domain categorization), and produce a usage frequency report. Identity providers (Okta, Entra ID) that use SSO also surface some shadow IT through federation logs, but only for applications that use SSO. Applications that employees access with locally stored credentials are invisible to SSO-based discovery.
How do you handle a vendor that refuses to share SOC 2 or penetration test results?
A Tier 1 vendor that refuses to provide any security documentation under NDA is itself a material risk signal. Document the refusal as a finding in your risk assessment. Escalate to legal to determine whether the contractual provisions allow for termination or renegotiation on these grounds. If the vendor relationship must continue despite the refusal, compensating controls become necessary: increased technical monitoring, enhanced access controls limiting the vendor's blast radius, more frequent questionnaire-based check-ins, and executive-level risk acceptance documentation. For new vendor relationships, make security documentation provision a condition of the contract rather than a post-signing request.
What is a Software Bill of Materials (SBOM) and why should it be required from software vendors?
An SBOM is a machine-readable inventory of all components (open-source libraries, commercial dependencies, frameworks) included in a software product. It enables you to quickly assess exposure when a vulnerability like Log4Shell is disclosed: instead of asking each vendor whether they are affected and waiting days for a response, you can query your SBOM database for any vendor software that includes the affected component version. SBOMs in SPDX or CycloneDX format can be generated by SCA tools in the vendor's CI/CD pipeline and should be provided with each software release for Tier 1 software vendors. Without SBOM data, software supply chain vulnerability response is reactive and slow.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
