TPRM Maturity Model - Public

	A	B	C	D	E	F	G	H	I	J
1				Third Party Risk Management Maturity Model Published v1.0 Aug 15, 2024
2
3	Request Access to download!			Level 1: Incomplete	Level 2: Performed (Ad Hoc)	Level 3: Managed	Level 4: Established	Level 5: Predictable	Level 6: Optimized	References
4	General Category		Subcategory	Characterized by the non-existence of third-party risk management	Characterized by limited awaresness, a lack of documentation and a generally reactive approach of third-party risk management	Characterized by basic policies and procedures and limited monitoring activities	Characterized by TPRM processes being formalized, documented and enforced. TPRM processes include some level of continuous monitoring and responsiveness to changes.	Characterized by TPRM processes being formalized and documented, and supported through the use of technologies, data and continuous monitoring. Policies, processes and risk management activities are responsive to threat, risk, regulatory and other business changes, if not consistently in a timely manner.	Characterized by TPRM processes being formalized, documented, responsive to business and risk environment changes; and being supported through the use of technologies, data and continuous monitoring. Policies, processes and risk management activities are responsive to threat, risk, regulatory and other business changes.	Have suggested additional references? Send them to us at info@locktivity.com

5	LIFECYCLE	Governance	Program Management - Policies and procedures - Responsible parties - Competency & training - Tools & monitoring	There is no formalized third-party risk management program.	There is a general awareness of the risks and responsibilities for third-party risk management, though responsibilities are not formally assigned and risk management activities are conducted on an ad hoc basis. The use of tools and data to inform risk assessment and ongoing monitoring procedures is	Basic policies and procedures are in place. Responsibility for third-party risk management is assigned, while procedures for risk management activities may be inconsistent and roles and responsibilities for execution of those activities may not be formally assigned. Procedures may not be mature, and spreadsheets are likely used over advanced technologies.	Third-party risk management (TPRM) policies are formalized and documented, with clearly defined roles and responsibilities communicated to responsible parties. Procedures are in place to ensure compliance with these policies, and responsible parties possess the necessary knowledge, skills, and training. Tools are used to support the efficiency and effectiveness of the TPRM program, while processes are not optimized, and there remain some gaps in consistency of process and a lack of completeness in visibility into program effectiveness, inventories, and risks.	Third-party risk management (TPRM) policies are formalized and documented, with clearly defined roles and responsibilities communicated to responsible parties. Procedures are in place to ensure compliance with these policies, and responsible parties and stakeholders possess the necessary knowledge, skills, and training. Risk acceptance standards are defined, documented, and communicated. The organization reassesses policies and procedures, including risk acceptance standards for effectiveness on at least an annual basis. Standards and risk tolerance are enabled by appropriate data insights, and procedures are supported by effective technologies. The use of data and technologies effectively reduces gaps in process, inefficiencies and provided visibility into inventories, risk and risk management activities.	Third-party risk management (TPRM) policies are optimized and responsive to business and risk environment changes, including regulatory changes, with clearly defined roles and responsibilities communicated to responsible parties. Procedures are in place to ensure compliance with these policies, and responsible parties and stakeholders possess the necessary knowledge, skills, and training. Risk acceptance standards are defined, documented, and communicated. The organization reassesses policies, procedures, and risk acceptance standards for effectiveness upon significant changes and on a periodic basis. The third party risk management program is enabled by appropriate data insights, procedures and technologies that are selected and evaluated based on program and business needs on a periodic basis. The use of data and technologies effectively reduces gaps in process, inefficiencies and provided visibility into inventories, risk and risk management activities.	https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf - Govern 6.1 ISO 27001 CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. CC9.2 The entity assesses and manages risks associated with vendors and business partners. HIPAA: § 164.316 Policies and procedures and documentation requirements. A covered entity or business associate must, in accordance with § 164.306: (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. (b)(1) Standard: Documentation. (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. (2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. NIST 800-53: PM-30 Supply Chain Risk Management Strategy "a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; 1. Implement the supply chain risk management strategy consistently across the organization; and (a) Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes." NIST 800-53: SR-3 Supply Chain Controls and Processes "a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and c. Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document]]."
6		Governance	Oversight - Reporting - Support - Expectations - Risk tolerance	Third-party risk management is not addressed by leadership.	Leadership occasionally acknowledges the importance of third-party risk management but does not provide consistent support or resources. Efforts are driven by individual stakeholders without a unified approach.	Leadership recognizes the importance of third-party risk management and allocates some resources towards it. There is a designated leader or team responsible for third-party risk, and efforts are becoming more structured and consistent. Leadership exercises some oversight of the third-party risk management program with periodic reviews and updates. Leadership may provide some objectives for the program, however, risk tolerance may be ill-defined and rely on individual judgement.	Leadership actively supports third-party risk management with clear policies, dedicated resources, and a defined budget. There is regular communication from leadership emphasizing the importance of third-party risk management, and the program is well-integrated into the organization's overall risk management strategy. Risk tolerance standards are defined, documented, and communicated.	Leadership actively supports third-party risk management with clear policies, dedicated resources, and a defined budget. There is regular communication from leadership emphasizing the importance of third-party risk management, and the program is well-integrated into the organization's overall risk management strategy. Risk tolerance standards and program objectives and success measures are clearly defined, aligned with business objectives, and communicated. Metrics for the performance of the program against these standards are established, consistently tracked, reported, monitored by senior leadership and applicable stakeholders.	Leadership promotes third-party risk management by dedicating sufficient resources for program optimization and actively overseeing the program through regular performance monitoring. Risk acceptance standards are documented and communicated, including senior leadership overseeing the program through defined review processes and schedules. Objectives and success measures are informed by robust data, with impactful tools supporting performance tracking. A culture of continuous improvement is fostered and the program is supported through the use of comprehensive data and advanced tools to optimize the program and ensure its effectiveness and alignment with strategic goals.	NIST 800-53: PM-30 Supply Chain Risk Management Strategy "a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; 1. Implement the supply chain risk management strategy consistently across the organization; and (a) Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes.
7		Third-party Inventory/Repository	Accurate inventory/repository: - Selection - Discovery - Termination	No policies, procedures, or standard practices for third-party selection, discovery, or offboarding exist.	Third-party selection is informally delegated, with no formal policies or procedures. Employees can sign up for services on an ad hoc basis. IT or other responsible parties track third parties informally, lacking formal auditing or monitoring to validate inventories. Third-party offboarding is ad hoc, leading to inconsistent procedures and some inactive accounts remaining active.	Third-party selection is formally delegated to assigned responsible parties, with defined policies and procedures. Selection processes consider business objectives and risks. Manual assessments, such as staff surveys, are conducted to verify inventory accuracy. Policies and procedures for third-party termination are defined, though compliance depends on stakeholder engagement.	Policies and procedures formally assign responsibilities for vendor selection and onboarding, and define terms for the selection and engagement of new third parties with consideration of business objectives. Regular manual inventory assessments are supported by automated monitoring tools, though full coverage is not achieved. Policies and procedures for third-party termination are defined, enforced, centrally monitored.	Policies and procedures formally assign responsibilities for vendor selection and onboarding, and policies and procedures consider business needs, objectives, and risks. The engagement of new third parties follows defined policies and procedures, including engagement of and approvals by appropriate stakeholders, with regular manual inventory assessments supported by comprehensive automated monitoring tools. Third-party termination procedures are defined, enforced, centrally monitored, reliable, and reviewed on a defined cadence for necessary updates.	Policies and procedures formally assign responsibilities for vendor selection and onboarding, and policies and procedures consider business needs, objectives, and risks. The engagement of new third parties follows defined policies and procedures, including engagement of and approvals by appropriate stakeholders, with regular manual inventory assessments supported by comprehensive automated monitoring tools. Third-party termination procedures are defined, enforced, centrally monitored, reliable, and reviewed on a defined cadence defined by business needs for necessary updates.	NIST 800-53: SR-5 Acquisition Strategies, Tools, and Methods Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. https://gdpr-info.eu/ https://www.sec.gov/files/rules/final/2024/34-100155.pdf https://www.iso.org/standard/27001 https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022 https://www.tprassociation.org/guidebook https://www.hhs.gov/hipaa/for-professionals/privacy/index.html CBI FCA CFPB
8		Risk Identification	Risk Assessment - Inherent Risk - Business impact - 4th & Nth parties	Risk assessments are not conducted	Risk assessments are informally executed on an adhoc basis. Internal controls may inform risk level determinations.	Policies require that risk assessments are conducted upon vendor onboarding. Responsibilities for risk assessment execution are assigned and communicated. Risk leveling generally considers business impact and existing internal controls.	Policies and procedures define the requirements for risk assessments of new and existing third parties. Responsibilities are assigned and risk assessments are perfomed both as part of onboarding an on a periodic basis. Risk leveling considers business impact and existing internal controls.	Policies and procedures define the requirements for risk assesments of new and existing third parties. Responsibilities are assigned and risk assessments are perfomed both as part of onboarding an on a periodic basis. New engagements with third parties are subject to risk assessments. Risk leveling considers business impact and existing internal controls. Risk assessments are supported by pertient technologies and data.	Policies and procedures define the requirements for risk assesments of new and existing third parties. Risk assessments are informed by the organization's risk tolerance standards and responsibilities are assigned and risk assessments are perfomed both as part of onboarding an on a periodic basis. New engagements or other changes to third-party services or products are subject to risk assessments. Risk assessments are supported by pertient technologies and data.	Cybersecurity and Third-Party Risk: third-party Threat Hunting https://www.tprassociation.org/guidebook DOR: Aritcle 28: financial entities’ management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account: (i) the nature, scale, complexity and importance of ICT-related dependencies, (ii) the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level. ISO 27001 CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its objectives across the en- tity and analyzes risks as a basis for determining how the risks should be managed. CC9.2 The entity assesses and manages risks associated with vendors and business partners. HIPAA: (8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. NIST 800-53: PM-30(1) Supply Chain Risk Management Strategy \| Suppliers of Critical or Mission-essential Items Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services. NIST 800-53: SC-38 Operations Security Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls].
9		Risk Identification	Due Dilligence - Residual Risk	Due diligence is not performed.	Due diligence is sometimes performed prior to third-party selection	Due dilgence is performed prior to onboarding of all high and critical risk third parties.	Due diligence is performed prior to onboarding and on a periodic basis as informed by business objectives and risk tolerance, including security and privacy risks and legal obligations.	Due diligence is performed prior to onboarding and on a periodic basis; and upon significant changes to the engagements or services provided by the third-party. Due diligence processes are scoped based on the third-party's services and impact to the business and are informed by the business's risk tolerance, including security and privacy risks and legal obligations. Procedures for the identification of changes to engagements or services are in place.	Due diligence is performed prior to onboarding and on a periodic basis as informed by business needs and risks. Due diligence processes are scoped based on the third-party's services and impact to the business and are informed by the business's risk tolerance, including security and privacy risks and legal obligations. Due diligence processes and monitoring for changes to third-party use cases are supported by technologies that provide automation, repeatability and intelligence to the processes.	https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf Govern 6.1, 6.2 Cybersecurity and Third-Party Risk: third-party Threat Hunting https://www.tprassociation.org/guidebook https://gdpr-info.eu/art-32-gdpr/ https://gdpr-info.eu/art-28-gdpr/ https://gdpr-info.eu/art-40-gdpr/ https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf DORA Article 28: 6. In exercising access, inspection and audit rights over the ICT third-party service provider, financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards. https://lgpd-brazil.info/chapter_07/article_47 ISO 27001 CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its CC9.2 The entity assesses and manages risks associated with vendors and business partners. objectives across the en- tity and analyzes risks as a basis for determining how the risks should be managed. CC9.2 The entity assesses and manages risks associated with vendors and business partners. NIST 800-53: SR-4(4) Provenance \| Supply Chain Integrity — Pedigree Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. Authoritative information regarding the internal composition of system components and the provenance of technology, products, and services provides a strong basis for trust. The validation of the internal composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes material composition of components. For software this includes the composition of open-source and proprietary code, including the version of the component at a given point in time. Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid. The validation of the internal composition and provenance can be achieved by various evidentiary artifacts or records that manufacturers and suppliers produce during the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of technology, products, and services. Evidentiary artifacts include, but are not limited to, software identification (SWID) tags, software component inventory, the manufacturers’ declarations of platform attributes (e.g., serial numbers, hardware component inventory), and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself.
10		Risk Reduction	Contracts - address 4th and Nth party requirements - Insurance - Audit & assessment rights	There is no process for third-party contracting.	Contracts are typically executed with third parties, but contracts tend to be drafted by the third-party and contractual terms are likely inconsistent.	Contracts are executed with all third parties. Responsibility for vetting third-party contracts is assigned. Contractual terms may vary between third parties, but critical risks are generally addressed. organization obligations may not consistently be passed down.	Contracts are executed with all third parties. Responsibility for vetting third-party contracts is formally assigned to specific roles, often involving legal or procurement teams. Standard contractual terms are often used, though some variation remains. Critical risks are consistently addressed, and efforts are made to ensure that organization obligations are appropriately passed down, though this may not yet be fully standardized.	Contracts are executed with all third parties. Legal or other qualified leadership review all contracts to ensure that critical terms are addressed. Standard terms are defined and used in contract negotiation to ensure that organization obligations are appropriately passed down and risk is appropriately mitigated. Internally approved templates are often used.	Contracts are executed with all third parties andreliably reviewed on a periodic basis. Legal or other qualified leadership review all contracts to ensure that critical terms are addressed. Standard terms or legal templates are defined, updated upon business changes and periodically, and used in contract negotiation to ensure that organization obligations are appropriately passed down and risk is appropriately mitigated.	https://gdpr-info.eu/art-32-gdpr/ https://gdpr-info.eu/art-28-gdpr/ https://gdpr-info.eu/art-40-gdpr/ https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf DORA Article 28: 3. As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. DORA Article 30: Key contractual provisions CCPA: (3) A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third-party unless the third-party is contractually bound by the same or stricter restrictions and conditions. PIPEDA: Schedule 1: 4.1.3 An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third-party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third-party. https://lgpd-brazil.info/chapter_06/article_39 https://lgpd-brazil.info/chapter_07/article_47 https://lgpd-brazil.info/chapter_07/article_50 CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. CC9.2 The entity assesses and manages risks associated with vendors and business partners. P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those par- ties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. HIPAA: (b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. (2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information. SR-5 Acquisition Strategies, Tools, and Methods Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. Interagency Guidance: F Subscontractors "P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those par- ties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. HIPAA GDPR CCPA"
11			Privacy: - Standards - Impact Assessments - Data Transfer - Data Minimization - Data Mapping - 4th -Nth parties - AI (NOTE: make sure levels include the inclusion of various parties)	There is no privacy program in place.	There is a general awareness of privacy requirements, and an external privacy policy is in place. Internal practices are not clearly defined. Privacy standards are incorporated into third-party risk maangement on an ad hoc basis.	Basic privacy policies and practices are in place. Responsibility for privacy has been assigned and there is some oversight over the use of third parties with respect to privacy requirements. Implementation of privacy controls such as privacy impact assessments, data minimization, data mapping, and the assessment of third-party privacy postures, including the use of AI systems and features, may be inconsistent.	Privacy policies and practices are defined and communicated, with assigned responsibility and oversight on third-party compliance with privacy requirements. The organization assesses privacy risks through impact and data transfer assessments, implementing measures like data minimization and extending privacy requirements to third parties and their subcontractors. AI services and features are also considered. The organization tracks third-party access to private data, though data mapping procedures may still be developing.	Privacy policies and procedures are defined, communicated, and integrated into third-party risk management. Responsibility for privacy is assigned, with oversight on third-party compliance with privacy requirements. The organization assesses privacy risks through impact and data transfer assessments, taking steps like data minimization and extending privacy requirements to third parties and their subcontractors. AI services and third-party data access are included in data mapping procedures. Privacy policies and practices are regularly reviewed and updated based on regulatory changes and business needs. The organization uses tools and relevant data to inform and manage its third-party privacy practices, incorporating privacy requirements and risks into continuous monitoring.	Privacy policies and procedures are optimized, communicated, and integrated into third-party risk management. Responsibility for privacy is assigned, with oversight on third-party compliance with privacy requirements. The organization assesses privacy risks through impact and data transfer assessments, implementing measures like data minimization and extending privacy requirements to third parties and their processors. AI services and third-party data access are factored into data mapping procedures. Privacy practices adapt to business changes, including new obligations, known risks, and third-party modifications. The organization collects and uses data to inform privacy risk assessments and employs modern tools to automate privacy practices. Privacy requirements and risks are incorporated into continuous monitoring.	https://gdpr-info.eu/art-32-gdpr/ https://gdpr-info.eu/art-35-gdpr/ CCPA https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 Virginia Consumer Data Protection: C. Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: .... 4. The categories of personal data that the controller shares with third parties, if any; and 5. The categories of third parties, if any, with whom the controller shares personal data. PIPEDA: Schedule 1: 4.1.3 An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third-party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third-party. https://lgpd-brazil.info/chapter_06/article_37 https://lgpd-brazil.info/chapter_06/article_38 https://lgpd-brazil.info/chapter_07/article_50 ISO 27001 CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. CCPA Companies must disclose AI use, allow consumers to opt out of automated decision-making, and ensure data privacy and security, including when engaging third-party vendors. NIST Privacy Framework: ID.IM-P1: Systems/products/services that process data are inventoried.
12			Information Security- a shared responsibility: - Access Management - Identity & Authentication - Configuration Management - Vulnerability Management - Risk Management - AI - Physical security	Information security is not incorporated into third-party management.	Information security standards are not defined. Assessment of third-party security postures are managed on an ad hoc basis and may or may not consider critical controls. Configuration and management of third-party tools is done on an ad hoc basis by system administrators, but responsibilities and standards are not defined.	Basic information security standards are defined and communicated and responsibility for the organization's information security have been assigned. Risk management practices consider the adminstrative, technical and physical security practices and controls of both the third-party and the organization, while required controls may not be clearly defined, consistently assessed, and responsiblities for control execution may not always be clearly assigned between the organization and the the third-party.	Information security standards are well-defined and communicated and responsibility for the organization's information security have been assigned. Risk management practices consider the adminstrative, technical and physical security practices and controls of both the third-party and the organization; controls are clearly defined, consistently assessed, and responsiblities for control execution are generally communicated and defined between the organization and the the third-party.	Information security standards are well-defined and communicated and responsibility for the organization's information security have been assigned. Risk management practices consider the adminstrative, technical and physical security practices and controls of both the third-party and the organization; controls are clearly defined, consistently assessed, and responsiblities for control execution are generally communicated and defined between the organization and the the third-party (shared responsibility model). Policies, practices and controls are reviewed on a periodic bases and updated to align with business requirements. The organization uses technologies and collects appropriate data to support the definition and monitoring of information security controls.	Information security standards are well-defined and communicated and responsibility for the organization's information security have been assigned. Risk management practices consider the adminstrative, technical and physical security practices and controls of both the third-party and the organization; controls are clearly defined, consistently assessed, and responsiblities for control execution are generally communicated and defined between the organization and the the third-party (shared responsibility model). Policies, practices and controls are reviewed on a periodic bases and updated to align with business requirements.The organization uses technologies and collects appropriate data to support the definition and monitoring of information security controls.	ISO 27001 CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized HIPAA GBLA GDPR Art. 32
13			Legal & Regulatory Compliance	Compliance activities have not been incorporated into third-party risk activities	Compliance obligations are managed on an adhoc basis by applicable stake holders. Implementation may be inconsistent and obligations are not clearly defined, communicated and addressed.	Compliance obligations are identified and managed consistently across the organization. There are documented processes and assigned responsibilities, but there may still be some gaps in implementation and monitoring.	Compliance obligations are fully integrated into third-party risk management activities. Processes are well-documented, consistently followed, and regularly reviewed. There is clear communication and training for all stakeholders, ensuring everyone understands their roles and responsibilities.	Compliance activities are proactive and predictable. There is a robust framework in place for monitoring and ensuring compliance, with regular audits and continuous improvement practices. Metrics and KPIs are used to track and report on compliance performance.	Compliance activities are optimized and aligned with strategic business objectives. There is a culture of compliance throughout the organization, with continuous improvement and innovation driving enhancements. The organization actively anticipates and adapts to changes in the regulatory landscape, ensuring sustained compliance and competitive advantage.	ISO 27001 SOC :
14			Continuity - 4th & Nth Parties	No business continuity program is in place.	Continuity is considered on an ad hoc basis for critical services, but no formal continuity policies or procedures are defined.	Basic policies for business continuity are defined and continuity risks are generally considered for third parties that are critical to our service availability.	Policies and procedures for business continuity management are defined, communicated and incoroporated into third-party risk management strategies. Policies and procedures for business continuity management are defined, communicated, and incorporated into third-party risk management strategies. Regular monitoring of SLA performance is conducted, and redundancy measures are in place for critical third-party services. Business continuity considers replacement risks and incorporates replacement plans.	Policies and procedures for business continuity management are defined, communicated, and incorporated into third-party risk management strategies. Business continuity plans for high-risk third parties that have a significant impact on the availability of critical business functions are defined, tested, and updated on a defined cadence. There is consistent and proactive monitoring of SLA performance, and redundancy and recovery plans are systematically applied. Business continuity considers concentration and replacement risks and incorporates replacement plans.	Policies and procedures for business continuity management are defined, communicated, and incorporated into third-party risk management strategies. Business continuity plans for high-risk third parties that have a significant impact on the availability of critical business functions are defined, tested, and updated on a defined cadence. Policies, procedures, and continuity plans are responsive to business changes, including new legal obligations, changes to business needs and goals, and changes to the business risk environment. Advanced monitoring tools and technologies are used to ensure SLA performance, and robust redundancy and recovery strategies are continuously optimized. Business continuity considers concentration and replacement risks and incorporates replacement plans.	https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf Govern 6.2 https://gdpr-info.eu/art-32-gdpr/ DORA Article 31 Designation of critical ICT third-party service providers ISO 27001 A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives. (A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system com- ponents (infrastructure, data, and software) to manage capacity demand and to enable the imple- mentation of additional capacity to help meet its objectives.) HIPAA: ((7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. ISO_IEC_27036-2_2022
15		Incidents	Incident Management	Incident identification occurs by chance. No incident response practices are in place.	Some contracts require incident reporting by third parties, but incident identification is largely relies on external factors. Incidents are treated in an ad hoc basis	Basic incident management policies and procedures are documented. third-party contracts consistently contain terms requiring third parties report incidents to the organization. Incident response processes may be largely manual and sometimes inconsistent.	Policies and procedures are aligned with organization obligations and address third-party related risks and potenial incidents. third-party contracts consistently contain terms requiring third parties report incidents to the organization in accordance with organization policy. Defined procedures address escalation, communication, containment, root cause analysis and post-mortems. Additional controls or potential changes to third-party services are considered as appropriate.	Formalized incident response policies and plans incorporate third-party related incidents; and define procedures address identification, reporting, escalation, communication, containment, root cause analysis and post-mortems. Additional controls or potential changes to third-party services are considered as appropriate. Responsible parties are defined and have the requisite skills and training to perform incident response duties. Incident repsonse is supported by appropriate information sources and is at least partially automated to ensure speed and effectiveness. Incident reponse procedures are tested on a defined cadence and updated as appropriate. The organization conducts proactive assessments of significant third parties on a periodic basis and upon known new breach vectors or vulnerabilities to identify potential incidents.	Formalized incident response plan incorporates third-party related potential incidents; and define procedures address identificaiton, reporting, escalation, communication, containment, root cause analysis and post-mortems. Additional controls or potential changes to third-party services are considered as appropriate. Responsible parties are defined and have the requisite skills and training to perform incident response duties. Incident repsonse is supported by appropriate information sources and is at least partially automated to ensure speed and effectiveness. Incident reponse procedures are tested on a defined cadence and updated as appropriate. organization proactively monitors third parties for potential secuirty incidents through the use of intelligence and technologies.	https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf Govern 6.1 https://www.tprassociation.org/guidebook https://gdpr-info.eu/art-28-gdpr/ https://gdpr-info.eu/art-34-gdpr/ https://lgpd-brazil.info/chapter_07/article_48 ISO 27001 P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those par- ties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary. HIPAA: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes NIST 800-53: SR-8 Notification Agreements Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information]]. https://gdpr-info.eu/art-34-gdpr/ SOC: Companies must establish internal controls for financial reporting, which includes assessing and managing third-party risks. Federal Information Security Management Act (FISMA): Federal agencies and contractorsl must implement information security protections, including third-party risk management and incident response protocols. https://lgpd-brazil.info/chapter_07/article_48 ISO 27001 HIPAA: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes PCI: Organizations handling cardholder data must implement security measures, manage third-party risks, and have incident response procedures. APRA: Financial institutions must maintain information security, including third-party risk management and incident response plans.
16		Continuous monitoring	Reassessment - Risk Assessment - Due Diligence - Quality Management - Tools & Monitoring	There is no continuous monitoring program.	Re-assessment of third-party risks, including risk assessments and due diligence may be performed on an ad hoc basis, but there is no standardization of these processes and performance may be inconsistent. Due diligence may be limited in scope and impact. Business owners may assess third-party performance of purchased services, but there is no formal process or guidance for performance or quality management.	Policies are in place requiring and defining the procedures for reassessment of third-party risk on a periodic basis for known high risk third parties; and responsibility for third-party reassessment has been assigned Risk assessments and due diligence efforts may be basic in structure and limited in scope. Business owners are formally responsible to assess third-party performance and quality management, however procedures are not standardized or consistently performed and tracked. Processes are largely manual in nature.	Policies are in place requiring and defining the procedures for reassessment of third-party risk on a periodic basis; and responsibility for third-party reassessment has been assigned. Risk assessments and due diligence efforts consider current business needs, vendor's ability to perform its services, and consider known risks and threats.	Policies are in place requiring and defining the procedures for reassessment of third-party risk on a periodic basis. Risk assessments and due diligence efforts consider current business needs, vendor's ability to perform its services, and consider known risks and threats. Responsibility for third-party risk re-assessments is assigned, and procedures engage pertinent stakeholders to inform assessment decisions. Assessments are informed by pertinent data, and effectiveness is supported through the use of technologies.	Policies and procedures for third-party risk reassessments are optimized, with responsiblities defined. Risk reassessment processes make use of pertinent data and technologies to ensure that significant issues are identified and addressed in a timely manner, and reassessments are performed on a defined cadence. Reassessments are robust in nature and are responsive to business and external changes impacting third-party risk. Responsibility for third-party risk reassessments is assigned and includes applicable stakeholders.	ISO_IEC_27036-2_2022 - 6.2.5
17		Continuous monitoring	Issue Management	No issue management practices are in place.	Business owners or IT may address concerns with third parties, but there are no formalized procedures	Baseline policies for issue management have been defined and communicated. Compliance with these policies relies on business owners and IT to enforce the policies.	Policies and procedures for issue management address business needs, obligations and risks. Issues are prioritized based on business impact, and are tracked and monitored.	Policies and procedures are documented, communicated, and enforced for the tracking and remediation of issues identified with the third parties. Policies and procedures are supported by data, industry benchmarking, or automation; and are reviewed an updated on a defined cadence and upon signicant changes to the business.Tools are used to identify and respond to issues. Issue management procedures effectively reduce risk for the organization.	Policies and procedures are documented, communicated, and enforced for the tracking and remediation of issues identified with the third parties. Policies and procedures are supported by data, industry benchmarking, or automation; and are reviewed an updated on a defined cadence and upon signicant changes to the business.Tools are used to identify and respond to issues. Issue management procedures effectively reduce risk for the organization.	ISO 27001 SOC 2: CC9.2 The entity assesses and manages risks associated with vendors and business partners. NIST 800-53 RA-3(2) Risk Assessment \| Use of All-source Intelligence Use all-source intelligence to assist in the analysis of risk.