Third-Party Risk Management Framework

The majority of businesses today deal with third-party vendors and service providers that are an essential part of their business ecosystem. But although third-party relationships are crucial to the success of any business, they come with a significant amount of risk that can cost an organization — in reputation, legal fees, and lost revenue.

That’s why any company should have third-party risk management as the fundamental part of their overall information security risk management process. It’s possible to decrease risk and boost overall security by implementing a third-party risk management framework that will provide your organization with shared standards for decision-making.

It will help you understand the risk you take with your vendors, suppliers, and contractors and limit your liability. Using comprehensive vendor risk management software like START will help you streamline vendor onboarding and assessment; transforming tedious manual work into automated processes and easily accessible insights.

There are different risk management frameworks, so it’s not easy to choose the right one to fit your vendor management policy. You should remember that some frameworks are designed for specific industries, and others are used in certain geographical areas. To help you make an informed decision, in this article, we’ll take a look at some of the most popular third-party risk management frameworks.

VSA Security Checklist

The VSA security checklist is a questionnaire created by Vendor Security Alliance (VSA), a coalition of companies committed to improving Internet security. Any company can use it to measure potential cybersecurity risks and evaluate potential vendors with a streamlined list of questions.

In fact, there are two free VSA questionnaires that are updated annually. VSA-Full is the classic VSA questionnaire that focuses deeply on vendor security and is used by thousands of companies globally. It was first published in 2016 and contains 8 sections:

  • Service Overview
  • Data Protection & Access Control
  • Policies & standards
  • Proactive Security
  • Reactive Security
  • Software Supply Chain
  • Customer Facing Application Security
  • Compliance

VSA-Core became first available in 2019 and includes the most critical questions on vendor security in addition to privacy. Although from a security perspective, it doesn’t go into the same depth as the VSA-Full questionnaire, it adds the Privacy section. The Privacy section covers both U.S. Privacy and E.U. Privacy, including:

  • U.S. data breach notification requirements
  • The California Consumer Privacy Act
  • The General Data Protection Regulation (GDPR)

VSA questionnaires were originally created for the VSA’s members, but now, any security team can use them to assess the security of vendors. You can use the VSA-Core questionnaire when you want to ensure your vendors have well-designed security and privacy operations, whereas the VSA-Full focuses solely on security.

NIST Compliance Checklist

The NIST Cybersecurity Framework (CSF) was released in 2014. This system is designed to help private companies identify, prevent, and respond to cyber risks. NIST CSF is widely considered to be the gold standard for building a cybersecurity program for organizations to use across industries.

The core material in this I.T. risk management framework is divided into five functions: identify, protect, detect, respond, and recover. Each of these functions is also divided into a total of 23 categories, and they are further broken down into cybersecurity outcomes and security controls.

NIST compliance is mandatory for federal agencies and their contractors. Typically, all contractors must comply with the NIST Cybersecurity Framework (CSF). Besides, most of them also need to comply with other NIST “special publications,” such as its NIST 800-53 standard for privacy and data security controls.

Defense contractors need to comply with CMMC, the Cybersecurity Maturity Model Certification that is largely based on NIST 800-171, a cybersecurity framework designed to help organizations that aren’t part of the U.S. federal government protect their sensitive information.

For private businesses, if they don’t bid on government contracts, compliance with NIST standards is voluntary. The NIST Voluntary Framework is for organizations of all sizes, sectors, and maturities. It consists of standards, guidelines, and best practices to better manage and reduce cybersecurity risk. It is made of 3 main components (the Core, Implementation Tiers, and Profiles). This framework can be customized for use by any organization to create the NIST compliance checklist.

ISO 27001 Compliance Checklist

ISO is one of the most widely used vendor risk management frameworks. Certification to ISO/IEC 27001 is usually not obligatory, unless your large clients demand it of you. Still, any organization with sensitive information, whether for-profit or nonprofit, small business or corporate, can find adherence to ISO 27001 useful. This popular international standard was developed by ISO, the International Organization for Standardization. It defines the requirements of an information security management system (ISMS). It addresses each of the three pillars of information security: people, processes, and technology.

ISO standards are internationally agreed upon by experts and are created by people who use them. However, ISO doesn’t perform certification or conformity assessment. Companies that want to demonstrate good security practices and obtain an independent opinion about their security posture need to contact an external certification body.

ISO 27001 requires organizations to identify information security risks and select appropriate controls to tackle them. The controls are outlined in Annex A of the Standard. There are 114 controls, and they are divided into 14 categories. You can create the ISO 27001 compliance checklist to address the 14 required compliance sections of the ISO 27001 information security standard when assessing your vendors.

CCPA Compliance Checklist

The California Consumer Privacy Act of 2018 (CCPA) is a data privacy law that protects a wide range of privacy rights for California residents. It can be seen as California’s version of the E.U. General Data Protection Regulation (GDPR). Yet CCPA guidelines are easier to adopt than the lengthy requirements of the GDPR. CCPA can apply to any business that collects any personal information from California consumers regardless of the headquarters of the business itself. The exceptions are nonprofit organizations or government agencies.

Businesses that collect, store, share, and use the information of California citizens must meet the requirements of the CCPA compliance checklist. It primarily addresses four areas: access to information, user control, protection of user data, and non-discrimination.

So what does the CCPA mean for vendor risk management? Businesses that deal with suppliers and vendors that are service providers need to make sure that such providers protect their consumers’ personal information privacy. But it’s not enough. Businesses should also oversee their service providers’ own providers and ensure that fourth and even fifth parties keep personal information safe.


An effective third-party risk management framework can safeguard a company’s clients, employees, intellectual property, and the strength of its business operations. The choice of a framework should be based on the company’s specific needs, its structure, and risk profiles. In some cases, it may make sense to use more than one third-party risk management framework.

Suggested For You

6 Ways to Streamline Remediation Efforts with Start

Achieving third-party compliance as part of your Third-Party Risk Management (TPRM) program is never an easy feat. Many companies have standards that they hold their third-party partners to, however it can often be a challenge to get those third-parties to make the compliance changes required in order to do business. In this article, we outline […]

5 Challenges of Third-Party Risk Management and How to Overcome Them in 2024

In the course of performing security assessments for our clients, we came to the realization that many were struggling with the sheer volume of assessments they were being asked to perform. More assessments means more data, and handling a lot of data at once that lives between spreadsheets and emails can be chaotic and leads […]

person reviewing documents

Vendor Relationship Management: 5 Ways To Involve Stakeholders

Are you struggling to coordinate efforts between the security team and business stakeholders? Vendor relationship management is a crucial component in the assessment process. Business units see security teams as red tape, causing delays and getting in the way of business overall. Yet, business stakeholders are often essential to helping security teams move swiftly and […]

To top