What is TPRM?
TPRM, or third-party risk management, refers to the set of processes through which an organization assesses and controls the risks introduced by the external entities it works with: software vendors, hosting providers, subcontractors, payment processors, partner firms and any other third party with access to its systems, data or premises.
Every third party extends the organization's attack surface. A weakness at a supplier can become yours, without any internal mistake on your part.
Why it matters for your organization
A growing share of major incidents originates with a third party rather than within the victim's direct perimeter. Attackers deliberately target the least protected suppliers to reach their customers downstream.
TPRM is not only a security requirement, it is also a rising regulatory obligation. NIS2, DORA and many frameworks now explicitly require assessing and governing supplier risk.
The components of a TPRM program
- Third-party inventory: catalog every supplier and what they have access to.
- Criticality classification: rank by the impact of a failure or compromise.
- Due diligence: assess security posture before onboarding (questionnaires, evidence, certifications).
- Contractual clauses: incident notification, right to audit, security requirements, exit terms.
- Continuous monitoring: track external posture and risk signals throughout the relationship, not just at onboarding.
- Exit plan: plan for data return and service termination.
Where organizations most often fall short
The classic trap is treating TPRM as a procurement formality: a questionnaire filled out once and never revisited. The third-party vulnerabilities that matter are often invisible to questionnaires: undeclared software dependencies, residual access, suppliers of suppliers. A mature program moves from point-in-time assessment to continuous monitoring.