Is Legal integrated into TPRM (DPAs, security schedule, breach notification clauses standardised)?

Description

What this control does

Control objective

What auditing this proves

Demonstrate that legal counsel actively participates in TPRM workflows and has standardized contractual security clauses, DPAs, and breach notification requirements across third-party agreements.

Associated risks

Risks this control addresses

• Vendors processing sensitive data without enforceable Data Processing Agreements, exposing the organization to regulatory penalties under GDPR, CCPA, or other privacy laws
• Inconsistent or absent breach notification clauses delaying incident response and regulatory reporting when a vendor suffers a compromise
• Lack of contractual security obligations (e.g., encryption, access controls, audit rights) preventing the organization from enforcing minimum security baselines with third parties
• Legal team unaware of high-risk vendor relationships, resulting in contracts signed without adequate indemnity, liability caps, or right-to-audit provisions
• Vendor contracts lacking termination rights tied to security performance, preventing the organization from exiting relationships with non-compliant suppliers
• Ambiguous data ownership or data return clauses complicating offboarding and creating data retention risks when vendor relationships end
• Procurement or business units bypassing legal review for vendor contracts, creating shadow IT relationships with no contractual security protections

Testing procedure

How an auditor verifies this control

1. Obtain the organization's TPRM policy, workflow documentation, and vendor onboarding process map to identify where legal review is formally required.
2. Request the repository or template library of standardized contract clauses maintained by legal, including DPA templates, security schedules (Annex or Schedule format), and breach notification language.
3. Select a sample of 10-15 vendor contracts executed within the past 12 months, stratified by risk tier (critical, high, medium), and covering vendors processing personal data or accessing production systems.
4. Review each sampled contract for presence and completeness of: a signed DPA (or DPA incorporated by reference), a security requirements schedule detailing technical safeguards, and breach notification timelines with escalation contacts.
5. Interview the TPRM program owner and legal counsel to confirm legal's participation in vendor risk assessments, contract negotiation cycles, and approval workflows before contract execution.
6. Cross-reference the TPRM system (or vendor registry) against executed contracts to verify legal sign-off is documented for each high-risk vendor relationship.
7. Examine evidence of legal training or guidance provided to procurement and business unit stakeholders on mandatory security clauses and escalation paths for non-standard terms.
8. Test one recent vendor onboarding case end-to-end, tracing from initial risk assessment through legal review to final contract execution, confirming standardized clauses were applied or deviations were formally approved and documented.