CRF

LOGIN

Third Party Risk Model

What Is the CRF Third Party Risk Model?

The CRF Third-Party Risk Model (CRF-TPRM) is a standalone whitepaper that defines a structured, seven-step approach to governing cybersecurity risk across third-party relationships. It is not a maturity model, risk scoring system, or assurance framework — its role is to ensure that third-party risk is managed deliberately, consistently, and in alignment with business objectives.

The model mirrors the structure of the CRF Governance & Risk Model and extends CRF’s GRC Roadmap to the external ecosystem — so organizations can manage vendor and partner risk with the same rigor applied to internal cybersecurity governance. Where direct control is replaced by contracts, and oversight is delegated but not relinquished, the CRF-TPRM provides the process structure to keep external dependencies from becoming liabilities.

The Seven-Step TPRM Roadmap

  • Initiate — Establish leadership sponsorship and define governance structures across procurement, legal, IT, and cybersecurity

  • Inventory — Catalog all third-party relationships and classify by access, service type, and business impact

  • Select — Define risk criteria and prioritize oversight requirements based on vendor criticality and risk tier

  • Educate — Train internal stakeholders on their roles and communicate security expectations to third parties

  • Contract — Embed safeguards into contracts and service agreements with enforceable obligations

  • Validate — Monitor and assess third-party compliance through evidence collection, attestations, and periodic reassessments

  • Communicate — Report third-party risk posture and compliance status to executive stakeholders and risk committees

The CRF-TPRM in the CRF Ecosystem

The TPRM is designed to integrate with the broader CRF framework system:

  • CRF-GRM — The TPRM mirrors the GRM’s seven-step structure, extending internal governance to external relationships

  • CRF-S (Safeguards) — Used as the basis for defining which controls to require of third parties

  • CRF-AF — Defines how third-party controls are independently validated through governed assurance activities

Who Is This For?

  • Security leaders formalizing third-party governance structures and oversight practices
  • Procurement and legal teams responsible for vendor selection, contracting, and enforcement of security obligations
  • Risk and compliance managers building or maturing third-party risk programs in regulated industries
  • Business unit owners overseeing critical vendor relationships who need clear assessment criteria

What's New in v2026?

  • CRF Ecosystem Positioning: A new section explicitly defines how the TPRM connects to the GRM, Safeguards, and Audit Framework within the broader CRF system

  • Seven-Step Process Unchanged: All seven steps — Initiate, Inventory, Select, Educate, Contract, Validate, Communicate — remain identical to v2025

Download - v2026

Frequently Asked Questions

The Third Party Risk Model is a practical, seven-step framework that guides organizations through the end-to-end process of identifying, assessing, and managing risks posed by external vendors, suppliers, and service providers. It emphasizes operational execution—embedding safeguards into contracts, validating controls, and communicating risk posture—to ensure that third-party relationships support, rather than jeopardize, business objectives.

As organizations become more interconnected, third-party dependencies introduce cybersecurity, compliance, and operational risks. Without a structured TPRM approach, vendor oversight is often inconsistent, reactive, and fragmented. The CRF–TPRM provides a repeatable process to align vendor selection, contracting, and validation with organizational risk tolerance—transforming third-party risk from a liability into a strategic enabler.

CRF–TPRM follows a seven-step roadmap:

  1. Initiate: Secure executive sponsorship, define scope, and establish governance structures.

  2. Inventory: Catalog all third-party relationships and classify vendors by risk.

  3. Select: Define risk criteria, develop a safeguards library, and prioritize controls based on vendor tier.

  4. Educate: Train internal teams and inform external partners of security expectations.

  5. Contract: Embed safeguards into legal agreements to ensure enforceability.

  6. Validate: Collect evidence, review audit reports, and use continuous monitoring to confirm vendor compliance.

  7. Communicate: Provide tailored reports to executives, business owners, and technical teams—enabling data-driven decision-making.

A successful TPRM program requires cross-functional collaboration among:

  1. Executive Sponsors (e.g., CISO, Risk Committee): Provide leadership commitment and resources.

  2. Procurement and Sourcing Teams: Integrate TPRM steps into vendor selection and contracting workflows.

  3. Legal Counsel: Review and negotiate contract language to embed security and compliance obligations.

  4. IT and Security Operations: Define technical controls, validate evidence, and monitor ongoing compliance.

  5. Business Unit Leaders: Own critical vendor relationships, approve risk assessments, and manage exceptions.

  1. Gather Early Data: Compile existing vendor lists from procurement, finance, and IT.

  2. Secure Sponsorship: Appoint an executive sponsor and form a cross-functional TPRM working group.

  3. Draft a Program Charter: Define objectives, scope, roles, and decision-making authority.

  4. Select a System of Record: Choose a centralized platform or repository (spreadsheet, GRC tool) to track inventory and assessments.

  5. Begin Inventory: Classify vendors by type, function, and risk exposure, then apply risk-tiering criteria.

Download for Free

Provide your email address below, and we’ll instantly send the Third Party Risk Model to your inbox.

Agreement(Required)

Become a member

  • Access to our entire catalog of research and resources
  • Customizable Third Party Risk Model templates (MS Word, Markdown)
  • Unlimited Downloads
  • Removed CRF Branding
  • Commercial License to use our Third Party Risk Model templates
Subscribe for $350 / Year