Page Moved

This page has moved. You are being redirected to Third-Party Risk Management Framework

Third-Party Risk Management Framework

Third-Party Risk Management Framework

The majority of businesses today deal with third-party vendors and service providers that are an essential part of their business ecosystem. But although third-party relationships are crucial to the success of any business, they come with a significant amount of risk that can cost an organization — in reputation, legal fees, and lost revenue.

That's why any company should have third-party risk management as the fundamental part of their overall information security risk management process. It's possible to decrease risk and boost overall security by implementing a third-party risk management framework that will provide your organization with shared standards for decision-making.

It will help you understand the risk you take with your vendors, suppliers, and contractors and limit your liability. Using comprehensive vendor risk management software like START will help you streamline vendor onboarding and assessment; transforming tedious manual work into automated processes and easily accessible insights.

There are different risk management frameworks, so it's not easy to choose the right one to fit your vendor management policy. You should remember that some frameworks are designed for specific industries, and others are used in certain geographical areas. To help you make an informed decision, in this article, we'll take a look at some of the most popular third-party risk management frameworks.

VSA Security Checklist

The VSA security checklist is a questionnaire created by Vendor Security Alliance (VSA), a coalition of companies committed to improving Internet security. Any company can use it to measure potential cybersecurity risks and evaluate potential vendors with a streamlined list of questions.

In fact, there are two free VSA questionnaires that are updated annually. VSA-Full is the classic VSA questionnaire that focuses deeply on vendor security and is used by thousands of companies globally. It was first published in 2016 and contains 8 sections:

  • Service Overview
  • Data Protection & Access Control
  • Policies & standards
  • Proactive Security
  • Reactive Security
  • Software Supply Chain
  • Customer Facing Application Security
  • Compliance

VSA-Core became first available in 2019 and includes the most critical questions on vendor security in addition to privacy. Although from a security perspective, it doesn't go into the same depth as the VSA-Full questionnaire, it adds the Privacy section. The Privacy section covers both U.S. Privacy and E.U. Privacy, including:

  • U.S. data breach notification requirements
  • The California Consumer Privacy Act
  • The General Data Protection Regulation (GDPR)

VSA questionnaires were originally created for the VSA's members, but now, any security team can use them to assess the security of vendors. You can use the VSA-Core questionnaire when you want to ensure your vendors have well-designed security and privacy operations, whereas the VSA-Full focuses solely on security.

NIST Compliance Checklist

The NIST Cybersecurity Framework (CSF) was released in 2014. This system is designed to help private companies identify, prevent, and respond to cyber risks. NIST CSF is widely considered to be the gold standard for building a cybersecurity program for organizations to use across industries.

The core material in this I.T. risk management framework is divided into five functions: identify, protect, detect, respond, and recover. Each of these functions is also divided into a total of 23 categories, and they are further broken down into cybersecurity outcomes and security controls.

NIST compliance is mandatory for federal agencies and their contractors. Typically, all contractors must comply with the NIST Cybersecurity Framework (CSF). Besides, most of them also need to comply with other NIST "special publications," such as its NIST 800-53 standard for privacy and data security controls.

Defense contractors need to comply with CMMC, the Cybersecurity Maturity Model Certification that is largely based on NIST 800-171, a cybersecurity framework designed to help organizations that aren't part of the U.S. federal government protect their sensitive information.

For private businesses, if they don't bid on government contracts, compliance with NIST standards is voluntary. The NIST Voluntary Framework is for organizations of all sizes, sectors, and maturities. It consists of standards, guidelines, and best practices to better manage and reduce cybersecurity risk. It is made of 3 main components (the Core, Implementation Tiers, and Profiles). This framework can be customized for use by any organization to create the NIST compliance checklist.

It's important to manage third-party risk intelligently, so you should consider using a VRM tool like START that automates parts of the process. With START, you'll be able to protect your company from third-party data breaches and reduce the amount of administrative time and effort spent on vendor risk management.

Book your demo today!

ISO 27001 Compliance Checklist

ISO is one of the most widely used vendor risk management frameworks. Certification to ISO/IEC 27001 is usually not obligatory, unless your large clients demand it of you. Still, any organization with sensitive information, whether for-profit or nonprofit, small business or corporate, can find adherence to ISO 27001 useful. This popular international standard was developed by ISO, the International Organization for Standardization. It defines the requirements of an information security management system (ISMS). It addresses each of the three pillars of information security: people, processes, and technology.

ISO standards are internationally agreed upon by experts and are created by people who use them. But ISO doesn't perform certification or conformity assessment. Companies that want to demonstrate good security practices and obtain an independent opinion about their security posture need to contact an external certification body.

ISO 27001 requires organizations to identify information security risks and select appropriate controls to tackle them. The controls are outlined in Annex A of the Standard. There are 114 controls, and they are divided into 14 categories. You can create the ISO 27001 compliance checklist to address the 14 required compliance sections of the ISO 27001 information security standard when assessing your vendors.

CCPA Compliance Checklist

The California Consumer Privacy Act of 2018 (CCPA) is a data privacy law that protects a wide range of privacy rights for California residents. It can be seen as California's version of the E.U. General Data Protection Regulation (GDPR). Yet CCPA guidelines are easier to adopt than the lengthy requirements of the GDPR. CCPA can apply to any business that collects any personal information from California consumers regardless of the headquarters of the business itself. The exceptions are nonprofit organizations or government agencies.

Businesses that collect, store, share, and use the information of California citizens must meet the requirements of the CCPA compliance checklist. It primarily addresses four areas: access to information, user control, protection of user data, and non-discrimination.

So what does the CCPA mean for vendor risk management? Businesses that deal with suppliers and vendors that are service providers need to make sure that such providers protect their consumers' personal information privacy. But it's not enough. Businesses should also oversee their service providers' own providers and ensure that fourth and even fifth parties keep personal information safe.


An effective third-party risk management framework can safeguard a company's clients, employees, intellectual property, and the strength of its business operations. The choice of a framework should be based on the companies' specific needs, its structure, and risk profiles. In some cases, it may make sense to use more than one third-party risk management framework.