Skip to content
FortaRisks
All toolsThird-party risk · TPRM

Third-party risk management assessment

Gauge the maturity of your third-party risk management program, and leave with your priorities.

≈ 5 minutes · no sign-up

A vendor questionnaire is not enough. Answer the 18 statements below: everything is computed in your browser, and no answer is stored.

Answer each statement based on your real situation. Your score and priorities appear instantly in your browser. Nothing is sent anywhere.

Progress0 / 18 answered

1.Third-party inventory

You keep an up-to-date inventory of all your third parties.

You keep an up-to-date inventory of all your third parties.

You know which data and systems each third party touches.

You know which data and systems each third party touches.

Each third party has an identified internal owner.

Each third party has an identified internal owner.

2.Tiering

You classify third parties by the impact a compromise would have.

You classify third parties by the impact a compromise would have.

Each third party is given a risk rating.

Each third party is given a risk rating.

Assessment effort is proportional to criticality.

Assessment effort is proportional to criticality.

3.Assessment and evidence

You assess third-party security beyond a self-reported questionnaire.

You assess third-party security beyond a self-reported questionnaire.

You rely on external evidence (attack surface, incidents, ratings).

You rely on external evidence (attack surface, incidents, ratings).

You take third-party certifications into account (SOC 2, ISO 27001).

You take third-party certifications into account (SOC 2, ISO 27001).

4.Contracts

Your contracts include security requirements.

Your contracts include security requirements.

Your contracts require notification of incidents and breaches.

Your contracts require notification of incidents and breaches.

You have an audit right and clear exit terms.

You have an audit right and clear exit terms.

5.Continuous monitoring

You monitor third-party security posture continuously.

You monitor third-party security posture continuously.

Third parties are reassessed by criticality, not only at onboarding.

Third parties are reassessed by criticality, not only at onboarding.

You account for fourth-party and concentration risk.

You account for fourth-party and concentration risk.

6.Lifecycle

Onboarding a third party follows a defined due-diligence process.

Onboarding a third party follows a defined due-diligence process.

You know how to respond to an incident affecting a third party.

You know how to respond to an incident affecting a third party.

When a relationship ends, access is revoked and data recovered or destroyed.

When a relationship ends, access is revoked and data recovered or destroyed.

Answer every statement to reveal your score.

FAQ

What is third-party risk management?

Third-party risk management (TPRM) is the set of practices to identify, assess and monitor the risks introduced by your suppliers, providers and partners.

Why does it matter?

A growing share of incidents comes from third parties. Your vendors extend your attack surface to systems you do not directly control.

Isn't a questionnaire enough?

No. A questionnaire is self-reported and quickly stale. It must be combined with external evidence and continuous monitoring.

What is fourth-party risk?

Your third parties have their own third parties. Fourth-party risk and concentration on a few shared providers can expose you without direct visibility.

Is this assessment a full program?

No. It is a starting point to gauge your maturity and prioritize your actions, not a full program.