Every breach report for the last five years tells the same story: your vendors are your weakest link. Yet 70% of mid-market companies still run TPRM out of a SharePoint folder and a spreadsheet. Here is the 90-day plan to fix that.
Why TPRM matters more than ever
The numbers are punishing. Verizon DBIR data shows the share of breaches involving a third party has more than doubled over the past three years. SolarWinds, Kaseya, MOVEit, Snowflake – the pattern is consistent: attackers compromise one provider and pivot into dozens or thousands of customers. Regulators have noticed. SEC cybersecurity disclosure rules, EU DORA, OCC guidance for banks, and HIPAA all impose explicit third-party risk obligations.
The four phases of a TPRM program
| Phase | Days | Outcome |
|---|---|---|
| 1. Inventory and tier | 1-21 | Complete vendor list, tiered by criticality |
| 2. Risk assess | 22-49 | Tier-appropriate due diligence on each vendor |
| 3. Contract and onboard | 50-70 | Contracts include security clauses, BAAs, DPAs |
| 4. Monitor continuously | 71-90+ | Ongoing monitoring, annual reassessment |
Days 1-21: Inventory and tier
Most organizations underestimate their vendor count by 3-5x. Pull from accounts payable, SSO provider, expense reports, and email subscription tools to triangulate. The output is one row per vendor with: name, owner, data accessed, system access type, and criticality (1-3).
- Tier 1 (Critical): Vendor failure or breach would cause material business impact within 24 hours. Examples: payment processor, primary cloud provider, identity provider.
- Tier 2 (High): Significant impact within a week. Examples: CRM, key SaaS tools, MSP.
- Tier 3 (Standard): Limited impact. Examples: meeting transcription, scheduling tools, vanilla marketing tools.
Days 22-49: Risk assessment
Tier-appropriate due diligence prevents wasted cycles. Apply this matrix:
| Tier | Minimum diligence | Frequency |
|---|---|---|
| Tier 1 | SOC 2 Type II + custom questionnaire + on-site or video walkthrough | Annual |
| Tier 2 | SOC 2 Type II OR custom questionnaire | Annual |
| Tier 3 | SIG Lite or attestation | Every 2 years |
Standardize on either the SIG Lite or CAIQ for SaaS-heavy vendors. Custom questionnaires for high-risk relationships should add no more than 10-15 questions on top of an industry-standard base.
The trust center shortcut
Vendors increasingly publish SOC 2, ISO 27001, and pen test reports in self-service trust centers. Accept these in lieu of questionnaires for Tier 2 and Tier 3 vendors with strong attestations. Saves weeks per cycle.
Days 50-70: Contract and onboard
Three documents every Tier 1 and Tier 2 vendor needs:
- MSA with security addendum: Notification timelines, audit rights, termination triggers, data return.
- Data Processing Addendum (DPA): Required under GDPR and most US state privacy laws when the vendor processes personal data.
- Business Associate Agreement (BAA): Required if the vendor touches PHI.
Contract terms most teams miss: breach notification within 72 hours, right to receive audit reports annually, sub-processor approval requirements, cyber liability insurance minimums, and termination assistance with data return obligations.
Days 71-90+: Continuous monitoring
Annual reassessment is the floor. Real programs monitor security ratings (BitSight, SecurityScorecard), breach disclosures via threat intel feeds, SOC 2 bridge letters between annual reports, sub-processor changes, and financial health of critical vendors.
The minimum viable TPRM tech stack
- Vendor inventory database (Notion or Airtable to start)
- Questionnaire automation (Loopio, OneTrust, or QAE TPRM)
- Continuous monitoring via a security ratings provider
- Contract repository with key terms extracted
- Quarterly executive risk report
Bottom line
TPRM is not a one-time project. It is an operating discipline. The 90-day plan gets you from spreadsheet to systematic. Year two is about deepening continuous monitoring. Year three is about pushing accountability into business owners with formal ownership and review cadences.
Want to skip the spreadsheet years?
QAE automates evidence collection across 200+ integrations, maps controls across 20+ frameworks, and gets you audit-ready in 11 weeks.
Book a Free Demo →