Third-Party Risk

Third-party risk refers to the potential threats that arise from an organization's relationships with external vendors, suppliers, partners, and service providers. When you share data with a vendor or depend on their services, their security weaknesses become your security weaknesses. Managing third-party risk is a core requirement of every major compliance framework.

Why Third-Party Risk Matters

Modern organizations rely on dozens or hundreds of third-party services — cloud infrastructure, SaaS applications, payment processors, data analytics providers, and more. Each relationship introduces potential risks:

• Data exposure — Vendors with access to your data could suffer breaches
• Service disruption — Vendor outages can impact your availability commitments
• Compliance inheritance — Your compliance posture is only as strong as your weakest vendor
• Supply chain attacks — Compromised vendors can become vectors for attacking your organization

Third-Party Risk Management Process

1. Inventory vendors — Maintain a complete list of all third-party relationships
2. Classify by risk — Categorize vendors based on data access, criticality, and integration depth
3. Assess security posture — Review SOC 2 reports, ISO 27001 certificates, security questionnaires, and penetration test results
4. Establish contractual controls — Include security requirements, SLAs, breach notification obligations, and audit rights in vendor agreements
5. Monitor continuously — Track vendor security posture changes, incidents, and compliance status over time
6. Review periodically — Reassess vendor risk at least annually and when significant changes occur

Compliance Requirements

SOC 2 Common Criteria CC9.2 addresses risk from business relationships. Auditors verify that the organization assesses and manages risks from vendors and partners.

ISO 27001 control A.5.19 through A.5.23 addresses information security in supplier relationships, including supplier selection, monitoring, and managing changes in supplier services.

GDPR requires data controllers to ensure that data processors implement appropriate security measures, formalized through Data Processing Agreements.

Best Practices

Prioritize based on data access. Not every vendor needs a deep security review. Focus assessment effort on vendors that access sensitive data or provide critical infrastructure services.

Request SOC 2 reports. SOC 2 Type II reports provide independent assurance of a vendor's security controls. They are more reliable than self-completed security questionnaires.