# Third-Party Risk Management (TPRM) One-sentence definition: Processes to identify, assess, mitigate, and monitor risks from vendors and service providers. ## Key Facts - Lifecycle: due diligence → contracting → onboarding → monitoring → offboarding. - Due diligence: questionnaires, audits, SOC/ISO evidence, pen test summaries. - Contract controls: SLAs, security addendums, breach notification, right-to-audit. - Ongoing: issue tracking, metrics, reassessment on changes/incidents. - Include 4th-party (subprocessor) transparency where possible. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose controls to manage vendor-hosted data risk. **Mnemonic:** “**D-COM**” → Due diligence, Contract, Onboard, Monitor. ## Mini Scenario Q: SaaS vendor rejects right-to-audit—mitigation? A: Accept equivalent attestations (SOC2), enhanced SLAs, or choose alternate. ## Revision Checklist - Name 3 due diligence artifacts. - List 3 key contract terms. - Describe a monitoring activity. ## Related [[Supply Chain Risk Management (SCRM)]] · [[Contracts, SLAs, OLAs, MOUs]] · [[Cyber Insurance and Risk Financing]] · [[Compliance and Regulatory Concepts]] · [[Risk Register and Reporting]] · [[Domain 1 - Index]]