Is the TPRM lifecycle documented end-to-end (intake, due diligence, contracting, monitoring, exit) with role assignments?
Demonstrate that the organization has documented the complete TPRM lifecycle with defined phases, activities, role assignments, and handoffs that ensure continuous third-party risk oversight from onboarding through offboarding.
Description
What this control does
This control ensures the organization maintains a formally documented Third-Party Risk Management (TPRM) lifecycle that spans intake (vendor request and initial triage), due diligence (security assessments, questionnaires, and risk scoring), contracting (legal review and security clauses), ongoing monitoring (periodic reassessments and incident tracking), and exit (offboarding and data return/destruction). Each phase must have clearly assigned roles and responsibilities, including who initiates, approves, executes, and monitors activities. Without end-to-end documentation and role clarity, vendor risks go unmanaged during critical phases, creating gaps in accountability and increasing the likelihood of supply chain compromises.
Control objective
What auditing this proves
Demonstrate that the organization has documented the complete TPRM lifecycle with defined phases, activities, role assignments, and handoffs that ensure continuous third-party risk oversight from onboarding through offboarding.
Associated risks
Risks this control addresses
- Undocumented or ad hoc vendor intake processes allow high-risk third parties to bypass security assessments and gain access to sensitive systems or data
- Lack of role assignments during due diligence leads to incomplete risk assessments, missed critical security deficiencies, or procurement approval without security sign-off
- Absence of formalized contracting requirements results in vendor agreements lacking security obligations, audit rights, breach notification clauses, or data handling provisions
- Inadequate ongoing monitoring processes fail to detect post-contract security degradation, new vulnerabilities, or third-party incidents affecting the supply chain
- Unmanaged vendor exit procedures leave orphaned access credentials, unreturned sensitive data, or incomplete termination of data processing agreements
- Unclear role boundaries create accountability gaps where critical TPRM tasks are assumed complete but never executed, leading to unmitigated vendor exposures
- Manual or undocumented handoffs between TPRM phases cause delays, lost context, or dropped vendors that continue operating without required oversight
Testing procedure
How an auditor verifies this control
- Request and review the formal TPRM lifecycle documentation, including policy, procedures, process flows, and any supporting runbooks or playbooks.
- Verify that documentation explicitly defines each lifecycle phase (intake, due diligence, contracting, monitoring, exit) with entry and exit criteria for phase transitions.
- Examine role assignment matrices or RACI charts to confirm that each TPRM phase has designated responsible, accountable, consulted, and informed parties identified by job title or function.
- Select a sample of 8-12 active third-party relationships spanning different risk tiers and review their records to trace evidence of progression through each documented lifecycle phase.
- Interview personnel assigned to each TPRM role (e.g., procurement, security assessor, legal, vendor manager) to confirm understanding of their documented responsibilities and handoff procedures.
- Review exit/offboarding records for 3-5 terminated vendor relationships to verify documented exit procedures were followed, including access revocation, data return confirmations, and final risk closure.
- Inspect artifacts from each lifecycle phase (intake forms, due diligence reports, contract security addenda, monitoring schedules, exit checklists) to confirm consistency with documented processes.
- Validate that the TPRM documentation includes escalation paths for exceptions, risk acceptance workflows, and governance oversight mechanisms for lifecycle compliance.