Is the TPRM policy approved at board or executive level and reviewed annually?
Demonstrate that the organization's TPRM policy has been formally approved by board-level or executive leadership within the past 12 months and that a documented annual review process exists and is followed.
Description
What this control does
This control ensures the Third-Party Risk Management (TPRM) policy receives formal approval from the board of directors or executive leadership committee and undergoes mandatory annual review. The approval process establishes accountability at the highest organizational level for vendor risk decisions and strategic direction. Annual reviews ensure the policy remains aligned with evolving business relationships, regulatory requirements, threat landscapes, and lessons learned from vendor incidents or audits.
Control objective
What auditing this proves
Demonstrate that the organization's TPRM policy has been formally approved by board-level or executive leadership within the past 12 months and that a documented annual review process exists and is followed.
Associated risks
Risks this control addresses
- Executives lack awareness of third-party cyber risks, leading to inadequate resource allocation for vendor security assessments and monitoring
- TPRM policy becomes outdated and fails to address new supply chain attack vectors or emerging vendor categories such as cloud service providers
- Business units bypass governance processes and onboard high-risk vendors without proper due diligence when policy lacks executive authority
- Regulatory penalties and audit failures occur because TPRM requirements do not reflect current legal obligations under data protection or critical infrastructure regulations
- Vendor incidents cause material business disruption because risk appetite and incident response procedures were never formally endorsed by decision-makers
- Inconsistent vendor risk classifications across departments create security gaps when the policy lacks authoritative, board-approved standards
- Post-incident forensic investigations reveal the TPRM policy was never updated after previous vendor breaches exposed control deficiencies
Testing procedure
How an auditor verifies this control
- Obtain the current version of the Third-Party Risk Management policy document from the governance or compliance team
- Review the policy signature page or approval record to identify the approving authority and verify it includes board members or C-level executives such as CEO, CIO, CISO, or Risk Committee
- Verify the approval date on the policy signature page or approval memo falls within the last 12 calendar months from the audit date
- Request and examine board meeting minutes, executive committee minutes, or formal resolution documents that reference the TPRM policy approval or annual review discussion
- Interview the policy owner or compliance officer to confirm the annual review process, including triggers for interim updates and distribution to stakeholders
- Obtain evidence of the most recent annual review activity, such as review checklists, change logs, version control records, or memo confirming no changes were required
- Compare the current policy version against the previous year's version to identify substantive updates reflecting business changes, regulatory updates, or lessons learned from vendor incidents
- Verify that the policy distribution list includes key stakeholders such as procurement, legal, IT, security, and business unit leaders to confirm organizational awareness