The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

Key Questions to Ask to Improve Your Third-Party IT Risk Management Program

Schaumburg, Ill. (22 Aug. 2019) — As recent data breaches have shown, vendors can be an overlooked entry point into organizations’ data. Enterprises wanting to ensure that they stay ahead of these risks can access best practices in a new paper from ISACA and OneTrust Vendorpedia, titled “Managing Third-Party Risk: Cyberrisk Practices for Better Enterprise Risk Management.”


“It’s become very clear that third-party risk is enterprise risk,” says Jack Freund, Ph.D., CISA, CRISC, CISM, CIPP/US, CIPT, CISSP, FIP, Director, Risk Science, RiskLens, and a member of ISACA’s CRISC Certification Working Group, lead developer of the white paper. “However, with careful attention and resources devoted to improving their third-party risk management programs, enterprises can maintain safe and healthy relationships with suppliers and avoid potentially catastrophic third-party breaches.”


The “Managing Third-Party Risk” resource provides risk management professionals with a foundational understanding of the full spectrum of third-party risk management—from third-party governance, assessment, analysis, closeout and monitoring. Enterprises will be able to not only start with the basics of defining third-party management roles within their organizations, but also receive guidance for mastering each step of the process.


Included in the paper are nine specific questions that professionals should ask during the third-party risk assessment process, including:


● Does the use of this third-party involve any external facing systems (including cloud)?
● Will the use of this third party introduce any net new technologies to the enterprise?
● How much time does an adversary need to compromise systems and access data?
● What level of effort is required overall from the threat agent to compromise the third party?


The guide also includes six key questions to ask when engaging in threat modeling. “Managing Third-Party Risk” gives enterprises a tool to help them organize and coordinate their approach to a third-party risk management program—and set themselves on a strong path away from third-party attacks and damaging headlines.


“Third-party risk management is not a new concept, yet the risks posed to enterprises have evolved,” said Kevin Kiley, Vice President, OneTrust. “An increasing reliance on third-party vendors, new privacy regulations, shifting cybersecurity threats, and frequent data breaches have upended the third-party risk landscape and third-party risk programs must adapt to solve both security and privacy challenges. The ISACA and OneTrust Vendorpedia white paper will help enterprises more efficiently and effectively tackle these challenges.”


Additionally, ISACA and OneTrust will be offering a complimentary webinar on this topic, “How to Manage Third-Party Risk for Better Enterprise Risk Management,” on 3 October 2019 at 12 pm (EDT) / 11 am (CDT) / 9 am (PDT) / 16:00 (UTC). In this 60-minute webinar, Kelsey Naschek, CIPP/E, CIPM, privacy engineer, OneTrust Vendorpedia, will dive into the key processes organizations should undertake to manage vendor risk, as well as the best practices they can put in place when assessing, onboarding, monitoring and offboarding third-party vendors. ISACA members can earn one CPE by completing the webinar. To learn more and register, visit


To access the complimentary “Managing Third-Party Risk” white paper, visit Additional research, guidance and articles on risk management from ISACA can be found at



Now in its 50th anniversary year, ISACA ( is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by information and technology, and ISACA equips practitioners with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its 460,000 engaged practitioners—including its 140,000 members—in information and cybersecurity, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 220 chapters worldwide and offices in both the United States and China.




About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform, trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust’s three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.