Third-Party Risk Management (TPRM)

Manage and Mitigate Third-Party Security Risks

Third-Party Risk Management (TPRM): vendor registry with risk level and status, vendor assessments, vendor documents, questionnaire templates with questions and conditional logic, filling and viewing questionnaires, links for external vendor filling, reports, and export.

Media content

Key Benefits

Vendors & Assessments

A single vendor registry with contacts, services, data access level, risk level, and status. Vendor assessments: date, next review, security, compliance, financial, and operational scores, overall score, conclusions, and recommendations. Assessment status: draft, in progress, completed, approved, rejected. Vendor documents: contracts, SLAs, certificates, insurance with expiration dates.

Questionnaires & Templates

Questionnaire templates by category (security, compliance, financial, etc.). Question types: yes/no, multiple choice, scale 1–5, text; conditional logic — show questions based on previous answers. Question weight and correct answer for automatic scoring. Vendor questionnaire: filling based on the template, answers, scores and percentage, linked to an assessment, evidence. Review and verify completed questionnaires.

External Link for Vendors

Create a unique link for a vendor: the link allows filling out a questionnaire without logging into SecBoard. Configuration: link expiration date, single-use, or maximum number of uses. First and last visit and IP are recorded. Link status: active, expired, used, revoked. If the questionnaire does not yet exist, it is created based on the template upon the first link opening.

Dashboard, Reports & Access

TPRM dashboard: total vendors, active assessments, high-risk vendors, questionnaires; distribution by risk level and status. Reports and data export for analytics. Guide with country-specific translations. Access by groups and companies; separate permissions for vendors, assessments, documents, templates, questions, questionnaires, dashboard, reports, export, and changing risk level/status.

Features & Capabilities

Vendors & Assessments

  • Vendor registry: name, description, website, contact person, email, phone
  • Risk level and status
  • Services, data access level, company; add, edit, delete
  • Vendor assessments: assessment date, next review, status; security, compliance, financial, operational scores, overall score
  • Conclusions, recommendations; assessor and approver
  • Documents: type (contract, SLA, security/compliance certificate, insurance, other), name, file, expiration date; bulk delete

Questionnaire Templates & Questions

  • Templates: name, description, category (security, compliance, financial, operational, data privacy, business continuity)
  • Questions: text, type; answer options for multiple choice
  • Conditional logic: parent question and condition (e.g., show if answer is "yes")
  • Question weight, correct answer for automatic scoring; order, required, hint
  • Add, edit, delete templates; duplicate template

Questionnaires & External Links

  • Vendor questionnaires: linked to vendor and template, optionally to assessment
  • Status: not started, in progress, completed, reviewed; scores and completion percentage
  • Filling the questionnaire: answers to questions (considering conditional logic); evidence (document, notes)
  • External filling link: unique token, vendor, template or existing questionnaire
  • Link expiration date, single-use or maximum number of uses; status
  • Record of first/last visit and IP; public link opening without authentication

Dashboard, Reports & Access

  • TPRM dashboard: total vendors, active assessments, high-risk vendors, questionnaires
  • Distribution of vendors by risk level and status; filter by company
  • Reports and TPRM data export
  • Guide with country-specific translations
  • Access by groups and companies; permissions for vendors, assessments, documents, templates, questions, questionnaires, dashboard, reports, export, changing risk level and status

Use Cases

Vendor Registration and Assessment

Add vendors with contacts, list of services, and data access level. Assign a risk level and status. Conduct assessments: specify the assessment date and next review date, fill in security, compliance, financial, and operational scores (0–100). The system calculates the overall score. Add conclusions and recommendations; after completion, the assessment can be approved or rejected. Add documents (contracts, certificates, SLAs) with expiration dates for monitoring.

Questionnaires for Data Collection from Vendors

Create questionnaire templates by category (security, compliance, etc.). Add questions with types yes/no, multiple choice, scale 1–5, or text. Configure conditional logic: some questions are shown only based on a specific answer to a previous question. Specify the weight and correct answer for scoring. For a vendor, create a questionnaire based on the template (optionally linked to an assessment). Fill out the questionnaire or send the vendor a link for external filling.

External Link for Vendors

Create a link for a vendor: select the vendor and template (or an existing questionnaire). Set the link's expiration date and restrictions (single-use or maximum uses). Copy the URL and send it to the vendor. The vendor opens the link without logging into SecBoard and fills out the questionnaire. The system records the visit time and IP. After submission, review the answers and scores in SecBoard.

Dashboard and Reports

On the TPRM dashboard, view summaries: total number of vendors, number of assessments with status "in progress" or "draft", vendors with high or critical risk, questionnaires. Filter by company. Use reports and data export for analytics and reporting to management or auditors.

Access Segregation by Company

Access to the TPRM module is configured by user groups. Each group is assigned a list of companies — users only see vendors from those companies (or vendors not linked to a company). Separate permissions: view/edit/delete vendors, conduct/approve assessments, documents, templates and questions, questionnaires, dashboard, reports, export, change vendor risk level and status.

Technical Details

Architecture

TPRM module: vendors linked to a company; vendor assessments with scores by criteria and overall score; vendor documents (files in project storage). Questionnaire templates with categories; questions with types and conditional logic (parent question and display condition). Vendor questionnaires with answers and calculated scores. External filling links: unique token, expiration date, usage limits, visit tracking; public URL without authentication. Dashboard, reports, export. Guide with country-specific translations. Data in the project database.

Security

Access is managed by groups and a company list; permission checks when viewing and modifying vendors, assessments, documents, templates, questionnaires, and links. The public questionnaire link is identified only by token; expiration date and usage limits mitigate abuse. CSRF protection for forms; input validation. Document files are stored with access restricted by module permissions.

Scalability

Lists of vendors, assessments, questionnaires, and links with pagination and filtering; queries linked to the company. Questionnaire filling with conditional logic is handled when displaying questions. Export and reports within a typical request. Suitable for standard project deployment.

Customization

Vendor risk levels and statuses; document types; questionnaire template categories; question types. Separate group-based access permissions: vendors, assessments, documents, templates, questions, questionnaires, dashboard, reports, export, change risk level and status. Company list for visibility restriction. Guide with basic content and country-specific translations.

Frequently Asked Questions

What is a vendor assessment?

A vendor assessment is a record with an assessment date, next review date, and status (draft, in progress, completed, approved, rejected). Scores are filled in for criteria 0–100: security, compliance, financial, operational. The overall score is calculated as the average of these scores. Conclusions and recommendations are added; the assessor and approver are specified. The assessment is linked to a vendor.

How does conditional logic in questionnaires work?

A question can have a parent question and a condition (e.g., "show if answer is yes" or "if the scale is 1–3"). When filling out the questionnaire, the child question is shown only when the answer to the parent question meets the specified condition. This allows building question branches based on answers (e.g., additional questions only for those who answered "yes").

What is an external filling link?

This is a unique link (URL with a token) sent to the vendor. When opening the link, the vendor can fill out the questionnaire without logging into SecBoard. You can set the link's expiration date, single-use, or a maximum number of opens. The system records the first and last visit and IP. Link status: active, expired, used, revoked. If the questionnaire does not yet exist, it is created based on the selected template upon the first opening.

How are scores calculated in the questionnaire?

Each question has a weight. For "yes/no" questions, a correct answer can be specified — if the answer matches, the full weight is awarded; otherwise, 0. For a scale of 1–5, the score is calculated proportionally (e.g., a fraction of the weight based on the scale). The total questionnaire score is the sum of the points from the answers; the completion percentage is the ratio to the maximum possible sum of weights from the relevant questions.

Can a questionnaire be linked to an assessment?

Yes. When creating a vendor questionnaire, it can be linked to a vendor assessment (optional). This maintains a connection between the data collected in the questionnaire and a specific risk assessment. The questionnaire results (scores, percentage) can be considered when filling out the assessment or in the conclusions.

How is access restricted by company?

Access is configured by user groups. Each group is assigned a list of companies — users only see vendors from those companies (or vendors not linked to a company, depending on implementation). If the company list is not specified, the group has access to all companies. Separate permissions are set for vendors, assessments, documents, templates, questionnaires, dashboard, reports, export, and changing risk level/status.

Is there a guide and translations?

Yes. The TPRM module includes a guide with basic content and country-specific translations. The guide's content can be translated using AI for quick addition of new languages (depending on project implementation).

Related Modules

Risk Assessment & Management

Standards

Incident Management

Ready to Get Started?

Explore this module and enhance your organization's security posture