Building a Third-Party Risk Management Checklist

March 29, 2022 | By IANS Faculty

As more organizations experience disastrous data breaches and supply chain attacks, third-party risk has emerged as a leading cause of information security breaches. 

To better plan and be prepared for cybersecurity incidents, build a third-party management checklist based on recommendations and best practices for your organization. 

What are Your Third-Party Risks? 

For successful third-party risk management, it's important to review previous security incidents within the organization, especially in higher-risk departments such as finance and IT. This helps you begin to build a clear plan outlining how your organization identifies and addresses third-party risk across all third parties. 

Identify Risks

The first step in third-party risk management is identifying the risks associated with the third-party data usage, including confidential data like customer information, corporate financials and intellectual property. Think about any internal information third parties can access, from business bank accounts to customer contact details and network systems. 

Quantify Risks 

Once the main third-party risks are identified, quantify them by organizational area. By understanding the level of inherent risk before controls are implemented, you can improve your risk management and screening process for both new and existing third parties. With your risks firmly identified and quantified, your organization is ready to create and follow a best practices checklist for third-party risk management. 


READ: How to Create an Enterprise Risk Appetite Statement 


Third-Party Risk Management Checklist 

1. Assess the Current Process for Third-Party Risk Management   

Review the current vetting process for bringing on new third parties, as well as those risk management practices already in place. From there, you can focus resources on the most at-risk areas. 

2. Document/Verify All Current Known vs. Unknown Third Parties—Vendors/Suppliers/Partners   

Update your vendor lists and check old contracts to understand all the third parties you're working with or who may have access to confidential business information. 

3. Evaluate New vs. Existing Vendors—Don’t Assume Anything 

After developing a list of third parties across all departments, outline any gaps left by existing vendors to understand what you need in terms of new partners and suppliers. Ask questions about their current privilege levels because you may need to set stricter boundaries on what information they can and cannot see. 

4. Prioritize Third Parties in Order of Risk 

Take the time to evaluate which vendors are riskier than others. Calculate the third-party risk by the probability of a data breach vs. the cost of a data breach. From there, assign a low, medium or high risk rating. 

5. Review Fourth-Party Vendor Relationships

Ask third-party vendors for details on the fourth-party vendors they work with. You need to know what your vendor does with your information and who they share it with, because the risk goes up when fourth parties are involved.  

6. Create Checklists/Questionnaires

Moving forward, build a detailed questionnaire for all third parties, including details on how much of your data they access to have, how they store it, and any history of compromised data or security incidents. 

7. Perform Screening, Onboarding, Diligence

When partnering with new third parties, you should have a clear screening and onboarding process to confirm how much data and infrastructure access they need and how they plan to protect your private information and intellectual property. 

8. Assess Organizational Roles, Responsibilities and Manpower Allocated 

Whether it's a vendor, partner, contractor or supplier, all third parties should be assigned the appropriate access level—nothing more and nothing less. There's no reason to provide confidential information and security access when it's not necessary. 

9. Adopt Platform Automation 

Use automation to streamline third-party risk management activities and ensure all outside vendors are appropriately reviewed and documented. 

10. Collect Vendor Data 

Take advantage of automated tools to gather vendor data for a comprehensive view of risk areas. Use what you know about the vendor and any recent data breaches to make informed decisions about the future of your partnerships. 

11. Monitor Third-Party Performance Activities 

Ongoing monitoring provides insights into how a third party is performing and whether the risk is worth the reward. This monitoring may inform your decision to either stay with a current vendor or partner with a new provider instead. 

12. Report Standardized Metrics—Monthly, Quarterly, Yearly

Prioritize regular metrics reports to evaluate the resources used for risk assessments and how many third parties are categorized as high risk. 

13. Report Metrics to Leadership 

Provide details on possible risk exposure to business area leadership in your organization, so you can work together to decide how to best approach third-party relationships while effectively managing cybersecurity risks. 


READ: Risk Management Terminology for InfoSec Teams


Proactively Manage Third-Party Risk 

Third-party risk will continue to be a major source of data breaches and cyberattacks, so a comprehensive third-party risk management structure is key to reducing organizational risk. 

When working with all third parties, it's crucial to identify and quantify risks so you better understand where any additional risks or organizational vulnerabilities lie. 

As part of your best practices checklist for third-party risk management, remember to document all communications and relationships between your business and third parties. 

Prioritize stronger screening and onboarding, automate where you can, and establish regular monitoring and metrics reports to promote a higher level of risk management for third parties. 

The more you invest in third-party risk management by dedicating the appropriate time and resources to both existing and new third-party relationships, the better you can protect your organization from potential cybersecurity threats. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

2021 CISO Compensation Benchmark Study

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.