Vendor risk register
A current, tiered inventory of every vendor and the risk they carry.
Governance & Compliance
Third Party Cyber Risk. Their security is now your problem.
Every vendor you trust is a door into your business, and you cannot watch all of them equally. We run third party risk as a governed program: tier vendors by the risk they carry, diligence them properly, and keep the high-risk ones under real ongoing review.
Why it matters
You can harden your own environment perfectly and still be breached through a supplier who did not. As businesses connect more deeply, your risk increasingly lives in companies you do not control. You have outsourced the work, but not the accountability.
Third Party Cyber Risk Management brings governance to that exposure. We help you understand which vendors actually matter, assess them in proportion to the risk they carry, and keep the critical ones under ongoing review rather than a one-time questionnaire. It is the advisory and governance layer that, paired with our Supply Chain Security, gives you both the judgment and the live signal.
The rings
Your vendors, arranged by how much they can hurt you
Proximity is access. The closer a vendor sits to the center, the deeper they reach into your estate, and the harder we look at them.
Low · 130 vendorsbaseline check at intake
office cateringstock imagery+127 more
Medium · 38 vendorsperiodic review
survey toolCRM plugintranslation API
High · 14 vendorsannual assessment + monitoring
analytics SaaSlogistics APImarketing platform
Critical · 6 vendorsfull diligence · continuous review
cloud platformidentity providerpayroll processorfile-transfer vendor · breach intel, under review
Youthe data and systems they can reach
Illustrative A breach in the outer ring is a procurement note. A breach in the inner ring is your incident, which is why the six vendors closest to the center get the scrutiny the other 182 do not need.
The program
Governed from onboarding to exit
Vendor risk is a lifecycle, not a form at procurement. We run every stage.
01
Onboard & tier
Assess and classify each new vendor by the risk they carry before they are trusted.
02
Due diligence
Proportionate assessment of security, with contract and compliance review.
03
Ongoing review
Critical vendors monitored continuously, others re-reviewed on a cycle.
04
Offboard
Access cleanly removed and obligations closed when a relationship ends.
What you get
Judgment, evidence, and a register that holds up
Due diligence
Security assessments scaled to risk, with the questionnaires run for you.
Contract review
Security and data clauses checked, so your agreements actually protect you.
Continuous monitoring
Critical vendors watched for breaches and posture changes, through Supply Chain Security.
Regulatory alignment
The register and reviews mapped to DORA, NIS2, and your audit needs.
Incident readiness
A plan for when a vendor is breached, so it becomes a managed event.
Part of the loop
Where TPCRM sits in VIGILE
Assess and maintain
Identify the risk, Enhance the program
IdentifyThird Party Cyber RiskEnhance
TPCRM is the Identify and Enhance motions for vendor risk. We tier and assess the exposure, then mature the program as your supplier base changes. It pairs with Supply Chain Security for the live technical signal.
See Supply Chain Security ›FAQ
Top 10 questions, frequently asked
They are two layers of the same problem. Third Party Cyber Risk is the governance and advisory layer: tiering vendors, running diligence, reviewing contracts, and reporting to regulators. Supply Chain Security is the technical execution layer that maps the dependency graph and monitors vendor posture live. We run them together so the judgment is backed by real signal.
By tiering. Most vendors carry little risk and need only a light check, while a small number with deep access or sensitive data deserve real scrutiny. We focus the effort where it matters, so you are not drowning in questionnaires for vendors who could never hurt you.
Yes. Both place clear obligations on managing and documenting third party and ICT supplier risk, including concentration risk. The tiered register, the diligence records, and the ongoing review produce exactly the evidence those regimes expect, kept current rather than assembled under deadline.
We help you decide and act: require remediation, add compensating controls, restrict access, or in some cases walk away. The point of the program is to make those decisions on evidence and in advance, rather than discovering the problem when the vendor is breached.
Tiering and the first risk pass over your vendor list typically run a few weeks. Deep assessments then proceed tier by tier, riskiest first.
External posture signals, breach intelligence, and certificate and domain hygiene for your high-tier vendors, with changes routed to owners rather than parked in a portal.
A vendor risk picture for leadership: tier movements, new findings, remediations closed, and the vendors whose risk is trending the wrong way.
Yes, and it should: new vendors get risk-tiered at intake, so security review happens before the contract is signed rather than after.
By vendor count and assessment depth per tier, as a managed program after the initial baseline.
Identify tiers the vendors, Validate assesses them, and continuous monitoring runs in Implement with quarterly evidence through Enhance.
Related work
Service
Supply Chain Security
The live technical map and monitoring behind the governance.
Learn more ›ServiceCyber Resilience & Continuity Validation
Rehearse the vendor-breach scenario before it happens.
Learn more ›ServiceVirtual CISO
The leadership to own vendor risk at the executive level.
Learn more ›Trust your vendors on evidence
Book a session with a Principal Engineer. We review your vendor exposure and show you where the real risk sits.