Visit EthicPagesThird-Party Risk Management
Last updated: January 15, 2026
Third-Party Risk Management
Document owner: Chief Information Security Officer (CISO), with VP Procurement as co-owner
Effective date: January 1, 2026
Last updated: January 15, 2026
Review cadence: Annual policy review; continuous vendor monitoring
Company: Acme Cloud, Inc.
Address: 1200 Market Street, Suite 400, San Francisco, CA 94103
This policy defines how Acme Cloud, Inc. identifies, assesses, monitors, and mitigates risks associated with third-party vendors, subprocessors, and service providers. It supports SOC 2 CC9.2 (risk mitigation activities), ISO 27001 Annex A.15 (supplier relationships), GDPR Article 28 (processor obligations), and HIPAA §164.308(b)(1) (business associate requirements).
Purpose & Scope
Third-party risk management (TPRM) ensures vendors do not introduce unacceptable security, privacy, operational, legal, or reputational risk to Acme Cloud or our customers. Scope includes all vendors with access to Acme Cloud systems, customer data, personal information, or critical business functions.
Subprocessors that process customer data on our behalf are managed under this policy and publicly listed in our Subprocessor List. Vendor ethical and labor standards are defined in our Vendor Code of Conduct.
Vendor Tiering
Vendors are classified into tiers based on data access, criticality, and spend:
| Tier | Criteria | Examples | Assessment depth | Reassessment frequency |
|---|---|---|---|---|
| Tier 1 — Critical | Customer data processing, production infrastructure, or >$500K annual spend | AWS, Stripe, Okta, OpenAI | Full security review + SOC 2/ISO evidence + contract security exhibit | Annual |
| Tier 2 — Significant | Internal data access, important business function, or $50K–$500K spend | Datadog, SendGrid, Zendesk | Security questionnaire + certification review | Annual |
| Tier 3 — Standard | Limited data access or <$50K spend | Marketing tools, office supplies | Standard questionnaire | Every 2 years |
| Tier 4 — Low risk | No data access, non-critical | Event venues, minor SaaS | Basic terms acceptance | At renewal |
Tier classification is reviewed at onboarding and upon material contract changes. Tier 1 vendors require CISO approval before contract execution.
Vendor Lifecycle
1. Identification & Business Justification
Business owners submit vendor requests through procurement portal with: business purpose, data types accessed, integration scope, estimated spend, and alternatives considered. Privacy and Security teams are auto-notified for Tier 1 and Tier 2 requests.
2. Security & Privacy Assessment
| Assessment component | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| Security questionnaire (SIG Lite or custom) | Required | Required | Simplified | N/A |
| SOC 2 Type II or ISO 27001 | Required (< 12 months) | Required or equivalent | Preferred | N/A |
| Privacy / GDPR assessment | Required | If personal data | If personal data | N/A |
| Penetration test summary | Requested | Optional | N/A | N/A |
| Business continuity review | Required | If critical function | N/A | N/A |
| Modern slavery questionnaire | Required | Required | If >$25K spend | N/A |
Assessment results are documented in the GRC vendor registry with risk rating (Low, Medium, High, Critical) and remediation requirements.
3. Contracting
Standard contract templates include:
- Vendor Code of Conduct incorporation
- Data protection terms (DPA where personal data processed)
- Security exhibit specifying encryption, access control, incident notification (24 hours)
- Subprocessor notification (30 days advance for Tier 1)
- Audit rights for Tier 1 vendors
- Business continuity requirements
- Termination and data return/deletion per Data Retention Policy
- Right to terminate for security or compliance breach
Non-standard terms require Legal and CISO review.
4. Onboarding & Integration
Before production access:
- Vendor personnel complete security awareness acknowledgment
- Access provisioned per Access Control Policy (least privilege, MFA)
- Integration architecture reviewed by Security Engineering
- Subprocessor list updated if customer data processing (30-day customer notification)
5. Ongoing Monitoring
| Activity | Frequency | Owner |
|---|---|---|
| Certification renewal verification | Annual (Tier 1/2) | GRC |
| Adverse media / breach monitoring | Continuous (Tier 1); quarterly (Tier 2) | Security Engineering |
| Performance review | Quarterly (Tier 1); annual (Tier 2) | Business owner |
| Access review | Quarterly (vendors with system access) | Security Engineering |
| Subprocessor change review | As notified | Privacy + GRC |
| Re-assessment questionnaire | Per tier schedule | GRC |
Material vendor security incidents trigger immediate assessment and may result in suspension pending investigation.
6. Offboarding
| Step | Timeline | Requirement |
|---|---|---|
| Access revocation | 24 hours of termination notice | All systems and credentials |
| Data return/deletion | Per contract (typically 30 days) | Deletion certificate required |
| Subprocessor list update | 30 days before termination (if customer data) | Customer notification |
| Knowledge transfer | Per business owner plan | Documentation of dependencies |
| Final assessment | Within 30 days | Confirm no residual access or data |
Subprocessor Management
Subprocessors processing customer personal data receive enhanced scrutiny:
- Listed publicly on Subprocessor List
- DPA obligations flow down per Data Processing Agreement
- 30-day advance notice to customers before adding or changing subprocessors
- Customer objection rights for material subprocessor changes
- Annual reassessment minimum for all data-processing subprocessors
Current subprocessors include AWS, Stripe, Twilio SendGrid, Cloudflare, Datadog, and OpenAI (AI features only). See Subprocessor List for complete details.
Risk Acceptance & Escalation
| Risk level | Approval authority | Conditions |
|---|---|---|
| Low | Business owner + GRC | Document in registry |
| Medium | CISO or CPO (by domain) | Compensating controls required |
| High | CISO + business VP | Remediation plan with timeline; enhanced monitoring |
| Critical | CEO + Audit Committee notification | Temporary only; migration plan mandatory |
Risk acceptance is time-limited (maximum 12 months) and requires re-evaluation at expiration.
Metrics & Reporting
| Metric | FY2025 result |
|---|---|
| Active vendors (all tiers) | 186 |
| Tier 1 vendors | 12 |
| Assessments completed | 58 |
| High/Critical risks identified | 7 (all remediated or accepted with controls) |
| Vendor-related security incidents | 0 |
| Average Tier 1 assessment time | 12 business days |
Quarterly TPRM metrics reported to CISO and Audit Committee. Annual summary included in SOC 2 audit evidence.
Framework Mapping
| Control | SOC 2 | ISO 27001 | GDPR | HIPAA |
|---|---|---|---|---|
| Vendor risk assessment | CC9.2 | A.15.1.1 | Art. 28(1) | §164.308(b)(1) |
| Contractual requirements | CC9.2 | A.15.1.2 | Art. 28(3) | BAA requirements |
| Ongoing monitoring | CC9.2 | A.15.2.1 | Art. 28(3)(h) | §164.308(b)(4) |
| Subprocessor management | CC9.2 | A.15.1.2 | Art. 28(2), (4) | BAA chain |
Related Documents
- Subprocessor List
- Vendor Code of Conduct
- Security Overview
- Data Processing Agreement
- Modern Slavery Statement
- Compliance Frameworks
Vendor Security Incident Response
When a vendor reports or Acme Cloud detects a vendor security incident:
| Step | Timeline | Action |
|---|---|---|
| Notification receipt | 0 hours | Log in GRC; assign incident owner |
| Impact assessment | 4 hours | Determine Acme Cloud/customer data exposure |
| Containment | 24 hours | Suspend vendor access if needed |
| Customer notification | 24–72 hours | If customer data affected |
| Remediation verification | Per vendor SLA | Re-assess before restoring access |
FY2025 vendor incidents: 2 vendor-reported events (no Acme Cloud customer data affected); 0 Tier 1 vendor breaches.
Vendor Diversity Integration
Vendor diversity goals are integrated into TPRM: diverse suppliers receive onboarding support; assessment requirements calibrated to tier; and diverse vendor spend tracked per DEI Report.
Vendor Inventory Statistics (FY2025)
| Tier | Active vendors | New onboarded | Terminated | Re-assessed |
|---|---|---|---|---|
| Tier 1 | 12 | 2 | 0 | 12 |
| Tier 2 | 34 | 8 | 3 | 34 |
| Tier 3 | 89 | 22 | 11 | 45 |
| Tier 4 | 51 | 15 | 18 | N/A |
| Total | 186 | 47 | 32 | 91 |
Vendor termination triggers offboarding checklist completion verified by GRC within 30 days.
Continuous Monitoring Tools
Acme Cloud uses SecurityScorecard and Bitsight for continuous external security monitoring of Tier 1 vendors. Score drops below threshold trigger reassessment. Adverse media monitoring via commercial threat intelligence platform covers all Tier 1 and Tier 2 vendors.
Vendor Concentration Risk
Acme Cloud monitors vendor concentration: AWS represents critical infrastructure dependency mitigated by multi-region architecture; no single vendor except AWS exceeds 15% of operational spend. Concentration risk reviewed annually by CISO and CFO with Board Audit Committee briefing.
TPRM program maturity assessed against NIST SP 800-161 Rev 1 supplier risk management guidelines. FY2025 self-assessment: Tier 3 (repeatable program with defined processes). Target FY2026: Tier 4 (managed and measurable).
Contact
Acme Cloud, Inc.
1200 Market Street, Suite 400, San Francisco, CA 94103
trust@acmecloud.com | security@acmecloud.com | vendor-compliance@acmecloud.com