Third-Party Risk Management: A Practical Guide
Thirty percent of breaches in 2025 involved a third party. The number doubled in a single year — the largest single-year shift ever recorded in the Verizon Data Breach Investigations Report. If your organization works with vendors, contractors, SaaS providers, or managed service partners, your attack surface does not end at your perimeter. It extends into every system your suppliers touch.
Third-party risk management — or TPRM — is the discipline of identifying, assessing, and reducing the risk your vendors introduce to your organization. It is not a checklist exercise. Done properly, it is a continuous program aligned to your risk tolerance, your regulatory obligations, and the criticality of each vendor relationship.
Why Third-Party Exposure Keeps Growing
Organizations are more dependent on outside vendors than at any point in history. The average organization manages 286 vendors — up from 237 the prior year, according to recent TPRM industry data. Each vendor relationship introduces a dependency. Each dependency introduces a potential failure point.
The Canadian Centre for Cyber Security (CCCS) addresses this directly in ITSAP.10.070, its guidance on assessing cyber supply chain risk. CCCS recommends evaluating suppliers not only on their direct security posture, but on their ability to manage their own third-party dependencies — what the guidance refers to as second and third-tier suppliers. A breach at a vendor’s vendor is still your problem when the affected party has access to your data or systems.
The financial stakes are significant. Supply chain compromises now cost an average of $4.91 million per incident and take 267 days to identify and contain — the longest breach lifecycle of any attack vector tracked. Canadian organizations experienced 410 confirmed breaches in 2025, the majority tied to third-party vendor compromises or ransomware delivered through supply chain pathways. According to the SecurityScorecard 2025 Global Third-Party Breach Report, breaches routed through a third party cost 17 times more to remediate than direct first-party incidents.
What a TPRM Program Looks Like in Practice
A mature third-party risk program starts with a vendor inventory. You cannot assess what you have not identified. Map every external relationship — cloud providers, software vendors, payroll processors, IT support contractors, legal firms with access to sensitive data. Assign each a risk tier based on the data they access, the systems they touch, and the services they deliver.
From there, the program moves to risk assessment. This is where many organizations stall. Sending a questionnaire and filing the response is not an assessment. An effective assessment cross-references vendor responses with objective evidence — security certifications, audit reports, penetration test results, and in some cases independent security ratings.
CCCS guidance under ITSG-33, the Canadian federal security control framework, includes supply chain integrity as a control requirement. For organizations operating under federal contracts or supporting critical infrastructure, vendor security is not optional — it is a documented control requirement subject to review.
After assessment comes the contractual layer. Your vendor agreements need to reflect your risk requirements. Security clauses, breach notification timelines, audit rights, and data handling obligations should all appear in contracts before a vendor goes live — not after an incident.
Ongoing Monitoring Is Not Optional
A one-time assessment at onboarding is not sufficient. Vendors change. Their technology changes. Their subcontractor relationships change. A vendor with a clean security posture today will sometimes acquire a poorly secured company tomorrow, or introduce a new cloud tool falling outside your original review scope.
Ongoing monitoring means revisiting vendor risk on a defined schedule — annually at minimum for low-risk vendors, more frequently for those with access to sensitive or regulated data. It also means watching for signals between scheduled reviews: breach disclosures, regulatory actions, major organizational changes, or new public vulnerability disclosures involving your vendor’s technology stack.
If your organization operates in a federally regulated sector — financial services, telecommunications, energy, or transportation — the CCCS Cyber Security Readiness Goals (CRGs) explicitly address supply chain security as one of six pillars. Regulators are looking for evidence of vendor risk management as part of their oversight activities.
Who Should Own This Program
TPRM sits at the intersection of information security, procurement, legal, and senior leadership. The person responsible needs to understand risk frameworks, contract requirements, and organizational priorities simultaneously. This combination of knowledge is precisely what structured security governance training addresses.
The Certified Information Security Risk Manager (CISRM) designation from Mile2 covers risk identification, assessment, and treatment frameworks at a level applicable to vendor risk programs. The Certified Information Systems Security Manager (CISSM) builds the management-level competencies needed to design and operate programs extending across organizational boundaries — including into your supply chain.
If your role involves managing third-party relationships, reviewing vendor contracts, or reporting on supplier risk to leadership or a board, you need a structured foundation. A vendor questionnaire without the knowledge to evaluate the answers is not risk management. It is documentation.
Getting Started
Start with your highest-risk vendors. Identify which suppliers have access to your most sensitive data or your most critical systems. Assess those first. Build the framework. Then extend it across your vendor population in order of risk priority.
The CCCS provides practical guidance for Canadian organizations through its supply chain risk resources, including ITSAP.10.070 and ITSAP.00.070 for smaller organizations. Use these as your baseline. Align your internal controls to what Canadian authorities require — and build from there.
Third-party risk does not manage itself. Your vendors will not self-report their weaknesses. The responsibility sits with your organization, and it starts with having people in the right roles with the right knowledge to do the work.
