# Third-Party and Supplier Risk Management Backlink: [[Domain 1 - Index]] **Definition:** Identifying, assessing, contracting, monitoring, and offboarding risks from vendors and the supply chain. ## Key Facts - Due diligence: questionnaires, attestations (e.g., SOC), demos. - Contracts: DPAs, SLAs, right-to-audit, breach notification, subprocessor controls. - Continuous monitoring: scorecards, audits, KPIs/KRIs. - Onboarding/offboarding: access provisioning and revocation. - Supply chain: component provenance, updates, tamper risks. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Pick contract clauses that reduce risk - Choose monitoring for critical vendors >[!note] **Mnemonic** - “Vet, Verify, Validate.” ### Example Q: Vendor refuses right-to-audit. Response? A: Compensate with third-party report, enhanced monitoring, or reject. ## Revision Checklist - [ ] List 4 key contract clauses - [ ] Describe due diligence artifacts - [ ] Explain ongoing monitoring approach - [ ] Include offboarding steps ## Related [[Service Level Agreements and Contracts]] · [[Privacy Principles and Regulations]] · [[Risk Response Strategies]] · [[Compliance Frameworks and Audits (SOX, PCI DSS, SOC Reports)]] · [[Security Metrics, KPIs, and KRIs]] #cisSP #domain-1 #concept