Third-Party & Supply Chain Security Assessment

Overview

The Third-Party & Supply Chain Security Assessment provides a comprehensive framework for evaluating your organisation's management of vendor and supply chain cybersecurity risks. With 96 questions across 8 domains, this assessment covers the full vendor lifecycle from due diligence through to exit management.

Through structured evaluation criteria aligned to TPRM best practices and regulatory expectations, you will assess your organisation's governance, vendor risk classification, onboarding controls, contractual requirements, ongoing monitoring, incident management, concentration risk, and offboarding processes.

The assessment employs a maturity-based scoring model to help you understand your current TPRM posture, identify programme gaps, and develop a prioritised remediation roadmap for enhanced supply chain security.

Who It's For

This assessment is designed for:

• Third-party risk management (TPRM) teams
• Vendor management and procurement professionals
• CISOs overseeing supply chain security
• GRC professionals with vendor oversight responsibilities
• Organisations with regulatory third-party risk requirements (APRA CPS 230/234, OCC, FCA)
• Companies responding to supply chain incidents or audit findings

Typical Outcomes

Organisations using this assessment typically gain:

• Clear understanding of current TPRM programme maturity
• Identification of gaps across the vendor lifecycle
• Prioritised action plan for programme improvement
• Documentation to support regulatory compliance reporting
• Evidence of third-party oversight for board and audit committees
• Framework for consistent vendor risk assessment

Assessment Coverage

The assessment comprehensively evaluates TPRM across 8 domains:

• Governance & Accountability — TPRM policy, executive sponsorship, roles and responsibilities, Board reporting, and programme oversight
• Third-Party Inventory & Criticality Classification — Vendor register completeness, risk-based tiering, criticality assessment, and data classification mapping
• Due Diligence & Onboarding Controls — Pre-engagement security assessment, risk acceptance, control validation, and onboarding processes
• Contractual & Legal Security Obligations — Security clauses, data protection requirements, audit rights, breach notification, and subcontractor controls
• Ongoing Monitoring & Assurance — Continuous monitoring, periodic reassessment, security ratings, audit evidence collection, and performance management
• Incident & Breach Management — Vendor incident notification, coordinated response, breach investigation, and remediation tracking
• Concentration & Systemic Supply-Chain Risk — Single points of failure, geographic concentration, fourth-party risk, and systemic dependencies
• Exit/Termination & Supplier Off-boarding — Exit planning, data return/destruction, access revocation, and knowledge transfer