Third-Party Risk Management

“We are ISO 27001 certified, are we DORA compliant?” Not so fast. ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you're a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down: 1. Regulatory vs. Voluntary Framework ↳ ISO 27001 – A voluntary international standard for information security management. ↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance. 2. Scope and Focus ↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls. ↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity. 3. Key Compliance Gaps 🔸 Incident Reporting ↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard. ↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis. 🔸 Security Testing ↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk. ↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning. 🔸 Third-Party Risk Management: ↳ ISO 27001 – Covers supplier risk but with general security controls. ↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions. 4. How financial institutions and ICT providers can address the delta? ✅ Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you're not still at this stage now that DORA has been mandatory since January 17, 2025.) ✅ Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines. ✅ Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing. ✅ Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA. ✅ Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience. 💡 ISO 27001 is just the tip of the iceberg - beneath the surface lie significant gaps that only DORA addresses. 👇 What’s the biggest challenge in aligning with DORA? Let’s discuss. ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.

While the shift towards Zero Trust Architecture (ZTA) offers a robust solution to modern cyber threats, it also raises important considerations regarding organizational security dynamics and the role of third-party providers. Here are some key points to consider: 1. Third-Party Dependency: - The move to Zero Trust often shifts security responsibilities from the organization to a third-party provider like Zscaler. - This approach assumes that these providers have superior capabilities and expertise in securing organizational networks. 2. Microsegmentation: - Proponents of ZTA argue that solutions like Zscaler can achieve effective microsegmentation. - However, they often overlook that east-west traffic within an organization doesn't always pass through firewalls. - Implementing microsegmentation internally can be more efficient than routing all traffic to the internet for scanning. 3. Supply Chain Vulnerabilities: - Incidents like the SolarWinds breach and recent attacks on CrowdStrike are grim reminder that third-party providers can become weakest link. - Relying solely on these providers creates a single point of failure in the security architecture. 4. Myth of Complete Zero Trust: - The belief that Zero Trust can be fully realized through providers like Zscaler is a myth. - True security requires a comprehensive, multi-layered approach. 5. Defense in Depth: - Organizations should adopt a defense-in-depth strategy, integrating multiple security technologies and controls across various layers. - This ensures that if one layer is compromised, others remain to mitigate the damage. 6. Diversified Security: - Security risks should be diversified by implementing multiple technologies and partnering with various vendors. - This approach prevents over-reliance on a single provider and enhances overall security resilience. 7. Organizational Control: - While leveraging third-party solutions, organizations must retain control over their security posture. - Building and maintaining internal controls is crucial to ensure comprehensive protection and minimize reliance on external entities. In conclusion, while Zero Trust Architecture provides valuable security enhancements, it should be part of a broader, diversified defense strategy. Organizations must balance third-party solutions with robust internal controls and multiple layers of defense to ensure comprehensive protection against evolving cyber threats. What’s your thoughts? I would like to understand from you to further refine our defense strategy

An organization is only as secure as its weakest link. Understanding, assessing, and mitigating third-party risks is essential. According to SecurityScorecard 75% of third-party breaches targeted the software and technology supply chain in 2024. This statistic underscores the critical need for organizations to adopt a proactive and comprehensive third-party risk management framework. Spanning from third party assessments to implementing continuous monitoring, organizations must ensure that contracted third parties adhere to the same security and compliance standards. A proactive Third party risk management program would involve: 1. Pre -engagement due diligence. This would incorporate vendor assessments, data protection due diligence checks, security compliance certifications, contractual safeguards and attestations(where needed). 2. Continuous monitoring and risk assessments. Instead of having vendor risk assessments as a one off thing, consider conducting periodical assessments(work with a period that bests suits your needs as a company). 3. Strong access and vendor controls. Restrict the vendors access to only necessary systems and data. Also, ensure data shared with third parties is encrypted and properly managed. 4. Compliance and regulatory alignment. Ensure that the third parties comply with the relevant laws and standards. A key step in achieving this is clearly defining vendor responsibilities through well-structured contracts and agreements. Regular audits, assessments, and continuous monitoring should then be implemented to verify that vendors adhere to legal and regulatory requirements, mitigating potential risks before they escalate. 5. Least I forget, Business Continuity planning is important. Have an incident response plan that accounts for risks arising from third party relationships. Additionally, have a vendor exit strategy, this will ensure that when partnerships end, data is securely handled, access is revoked, and operations remain unaffected. Document credits: MoS #VendorSecurity #ThirdPartyRiskManagement #RiskManagement #Cybersecurity #Governance #Compliance #CybersecurityGRC

Procurement: Treat suppliers as extensions of your enterprise, not transactions. Procurement Excellence | 23 NOV 2025 - In complex global markets, resilient supply chains demand partnerships built on shared destiny, not just contracts. Here are 9 Steps to Create Long-Term Supplier Partnerships: #1. Transparent Communication ↳ Co-develop comms protocols e.g. QBR ↳ Clearly share expectations, goals & challenges #2. Long-Term Contracts ↳ Replace short-term with multi year agreements. ↳ Share long-term roadmaps & cost-savings initiatives. #3. Shared Performance Metrics ↳ Jointly agree and track SMART KPIs. ↳ Define escalation paths & RCA templates #4. Early Supplier Involvement ↳ Involve and recognize vendor’s contributions. ↳ Include key suppliers in product development cycles. #5. Guarantee Timely Payments ↳ Automate payment & consider early payment discounts. ↳ Audit internal processes for bottlenecks. #6. Co-Create Innovation ↳ Create supplier ideation portals & protect IP collaboratively. ↳ Fund joint proof-of-concept projects. #7. Recognize & Reward Excellence ↳Formally acknowledge & reward outstanding suppliers. ↳Bronze (Operational Excellence), Silver (Innovation), Gold (Strategic Impact). #8. Uphold Fairness & Ethics ↳ Interactions & contractual terms are mutually beneficial. ↳ Ensure cost pressures don't force unethical labor. #9. Jointly Manage Risks ↳ Jointly identify risks & develop contingency plans. ↳ Map tier-2/3 suppliers collaboratively. In today's volatile market, Resilient supply chains are built on deep, strategic supplier partnerships. Achieving lasting, mutually beneficial supplier partnerships requires: ✅️ Deliberate strategy ✅️ Centered on trust ✅️ Shared objectives ✅️ Continuous collaboration ♻️ Repost if you find this helpful. ➕️ Follow Frederick for Procurement insights. #ProcurementExcellence #SupplierCollaboration

What Defines a Strong TPRM Strategy in 2025? 🤔 A mature TPRM program in 2025 isn’t just about checking boxes, it’s about building a defensible, risk-based framework that withstands scrutiny from regulators, auditors, and internal stakeholders alike. As regulatory expectations evolve globally, the benchmark for "compliance" is increasingly tied to demonstrable, ongoing due diligence, monitoring, and governance. Here’s what that looks like in practice: Key Pillars of a TPRM Strategy 1. Centralized Third Party Inventory: Maintain a dynamic inventory of all third parties, with visibility into their services, access to systems/data, and criticality to business operations. 2. Risk-Based Segmentation: Classify vendors by risk tiers (e.g., critical, high, moderate, low) based on the sensitivity of data and impact on operations. This enables proportional oversight. 3. Standardized Due Diligence and Risk Assessments: Use consistent, framework-aligned assessments (e.g., NIST CSF, ISO 27001, SIG questionnaires) for onboarding and periodic reviews. Tailor depth and frequency to risk level. 4. Continuous Monitoring: Leverage technology (e.g., security ratings, threat intelligence, performance dashboards) to track vendor health in real time, not just point-in-time reviews. 5. Strong Contractual Controls: Embed clear requirements in contracts around data protection, right to audit, breach notifications, and fourth-party oversight. Contracts are your enforcement tool. 6. Incident Response and Contingency Planning: Include third parties in your incident response playbooks. Simulate breach scenarios to test coordination, escalation, and communication processes. 7. Cross-Functional Ownership and Governance: Engage legal, procurement, cybersecurity, and business unit leaders throughout the lifecycle. Risk ownership must be shared, not siloed. To demonstrate that your program is more than just policy on paper: - Documentation – Keep detailed records of risk assessments, remediation plans, monitoring reports, and vendor interactions. - Audit Trails – Ensure transparency in decision-making: how vendors are approved, how exceptions are granted, and how issues are addressed. - Performance Metrics – Track and report KPIs (e.g., % of vendors with updated risk reviews, average remediation time) to show continuous improvement. - Regulatory Mapping – Align your TPRM framework to applicable regulations (e.g., OCC, DORA, EBA, MAS), and document how requirements are being met. Board Reporting – Periodically update senior management and the Board on third-party risk exposure, residual risk, and mitigation actions. In 2025, "being compliant enough" means being able to show that your TPRM program is consistent, risk-aligned, and operationalized. It’s not about perfection, it’s about visibility, defensibility, and accountability. #2025 #riskmanagement #riskassessment #regulations #compliance #occ #3prm #boardreporting #businessrisk #residualrisk #riskmitigation #tprm

Third-Party Risk: The Hidden Cybersecurity Battlefield in Modern Supply Chains In our interconnected digital ecosystem, your security posture is only as strong as your weakest vendor. Modern enterprises rely on 100s of third-party vendors, creating an exponentially expanding attack surface. Supply chain attacks have become the preferred vector for sophisticated threat actors. Instead of targeting well-defended enterprises directly, attackers exploit vulnerabilities in trusted vendors to simultaneously breach hundreds of downstream organizations. Game-Changing Examples SolarWinds (2020): Compromised software updates affected 18,000+ customers including Fortune 500 companies and government agencies, demonstrating how a single vendor breach cascades across entire sectors. MOVEit (2023): A single vulnerability led to data breaches affecting over 600 organizations globally, showcasing the massive scale of modern supply chain impacts. Why Third-Party Risk Monitoring is Critical Continuous Visibility: Traditional annual assessments are insufficient. Organizations need real-time monitoring of vendor security posture, breach notifications, and compliance status changes. Risk Amplification: When attackers target managed service providers or software vendors, the impact multiplies across all their clients. One compromised vendor can expose thousands of organizations simultaneously. Regulatory Liability: With GDPR, CCPA, and emerging supply chain regulations, organizations face increasing liability for third-party security failures. Proactive monitoring demonstrates due diligence. Building Effective Defense Continuous Assessment: Implement real-time vendor risk scoring across your entire ecosystem Zero Trust Extension: Apply least-privilege access controls to all third-party connections Incident Response Integration: Ensure your IR plans account for vendor breaches with clear communication protocols Contractual Protection: Update vendor agreements with security requirements and liability provisions The Bottom Line Organizations can no longer treat vendor risk as procurement afterthought. The question isn't whether your supply chain will be targeted — it's whether you'll detect and respond effectively when it happens. The strongest security programs extend beyond organizational boundaries to create defensible ecosystems, not just defensible enterprises. #ThirdPartyRisk #TRPM #SupplyChainAttack #CyberSecurity

The Hims & Hers breach didn't come through their network. It came through Zendesk, a third-party customer service platform. That's three major incidents in the last 30 days with the same root cause: a vendor with access to sensitive data and little to no meaningful oversight from the organization that hired them. This is where most mid-market security programs have a genuine gap. You audit your internal controls. You test your perimeter. You don't always know what your vendors are doing with your data at 2am. Effective third-party risk management requires two things most organizations skip. 1️⃣ Knowing exactly which vendors have access to sensitive data and what that access looks like technically 2️⃣ Having visibility into vendor environments that gives you a real signal, not a questionnaire response If your current TPRM program is built around annual reviews and signed agreements, you have documentation. You don't have risk management. Here at SideChannel, our team does this work daily for multiple clients. If your vendor risk program needs a hard look, we're worth a conversation. https://lnkd.in/g9eHtB_u

Most organisations don't do Third-Party Risk Management. They do Third-Party Management. The "risk" dropped out somewhere between the procurement guidelines and the questionnaire template. Look at how it works in practice: a vendor enters the pipeline, someone sends a spreadsheet, the vendor fills it in, someone checks for SOC 2, the vendor gets approved. CYA complete. Where was the risk? Not your risk register. Not your threat model. Not your control priorities. The assessment wasn't shaped by any of them. It was shaped by a certifying body and a standard questionnaire template someone downloaded three years ago. This happens because TPRM is disconnected from the first-party risk program. And it's disconnected because, in most organisations, the first-party risk program isn't strong enough to connect to. When your own risk program is mature, extending it to third parties is natural: → You know which risks matter, so you ask vendors about those risks → You understand control depth, so you assess vendors at proportional depth → Your risk register is alive, so vendor risk feeds back into it → Third-party risk becomes a node in your graph, not a separate spreadsheet When your own risk program is weak, TPRM becomes what it is today: a procurement checkbox that exists to say "we reviewed them" without ever answering "what risk do they actually introduce?" You don't fix TPRM by fixing TPRM. You fix it by building a first-party risk program worth extending. #GRCEngineering #TPRM

🔗 Third-party risk has been front and centre in recent breaches and for good reason. The supply chain is a major attack vector. And we’re seeing, again and again, that you're only as strong as the weakest link in your systems, even if that link doesn’t sit within your organisation. The Qantas breach is the latest high-profile reminder.The involvement of a offshore contact centre has raised fresh questions about how well businesses are managing cyber and privacy risk beyond their own perimeter. I've been seeing a marked up-tick in social engineering attacks on offshore contact centres across industries. Many are driven or enhanced by AI. Phishing. Vishing. Impersonation. Pressure tactics. Whatever works. And when it does work? The cost isn't just financial, it's trust, reputation, and long-term brand damage. Just look at Qantas. It was asking for an injunction from a judge whose data has been compromised by their data breach (I will talk a bit about this 'injunction tactic' in a post in future). That's slightly embarrassing... 👉 Offshore contact centres can be hugely valuable, delivering scale, reach, and 24/7 support. But they also come with real risks. Especially when they're handling sensitive customer data or system access. Here are six ways to reduce that risk and raise your game: 1️⃣ Strong contracts, used well Bake in robust privacy, security and audit obligations, then actually exercise those audit rights (and if you can't, bring in experts who can). 2️⃣ Training that sticks One-and-done training doesn't cut it. Invest in role-specific, regular, and practical training that helps real humans spot real threats relevant to their role. 3️⃣ Test the humans Commission independent testing. Red-teaming, social engineering exercises, phishing, vishing and other social engineering simulations to see how frontline staff respond under pressure. 4️⃣ Tighten access Follow least-privilege principles. Limit access to personal or admin-level information, and require escalation protocols with oversight. 5️⃣ Log and monitor everything Track not just system access, but human behaviour. Know what your people (and your suppliers' people) are doing with your data. 6️⃣ MFA and removal controls Multi-factor authentication should be the default. But so should clear policies around when and how MFA can be removed, that’s where attackers often strike. Outsourcing doesn’t outsource responsibility. And in an environment where AI is making attacks cheaper, faster and more targeted, proactive third-party risk management isn’t just best practice, it’s survival. If you are using offshore contact centres, now is the time to act. In fact, if you are using onshore contact centres, the same applies! #CyberSecurity #Privacy #SupplyChainRisk #SocialEngineering #ThirdPartyRisk #AI #InformationSecurity

🚨 APRA Regulated Entities - CPS 230 Goes Live in 4 Days. Are You Ready? On Tuesday 1 July 2025, CPS 230: Operational Risk Management comes into effect for all Australian Prudential Regulation Authority (APRA) regulated entities. This is one of the most significant regulatory shifts in recent years and many organisations still underestimate its breadth and depth. Having spent almost 30 years in finance technology including leading data, risk, and transformation for an Investment Company, I can say this with confidence: this is not just another compliance exercise. CPS 230 marks a fundamental change in how operational risk must be managed, from the boardroom down to frontline systems and third-party contracts. 📜 What is CPS 230? It’s APRA’s new cross-industry standard designed to: 🟡 Strengthen operational resilience 🟡 Clarify accountability 🟡 Ensure critical operations can withstand disruption It covers: 🔹 Operational risk management frameworks 🔹 Business continuity planning 🔹 Third-party (service provider) management 🔹 Board-level responsibility and oversight 💡 What makes CPS 230 different? • It’s explicitly principles-based, which means APRA will be looking for judgment, not just checklists • It focuses on outcomes, not just processes your ability to continue delivering critical operations is the key test • It requires clear documentation of critical operations, tolerance levels, risk controls, and testing 📌 What should you be doing now? With 4 days to go, this is go-time. Start with: 1️⃣ Reviewing your risk and control frameworks especially for data, AI, cyber, and third-party dependencies 2️⃣ Ensuring your board and execs are briefed and accountable 3️⃣ Validating that your critical operations and service tolerances are clearly defined and tested 4️⃣ Mapping your third-party landscape and uplifting oversight 5️⃣ Aligning your internal teams including Risk, Ops, Tech, Data, Procurement ✅ This is also a strategic opportunity. CPS 230 provides a lever to modernise risk management, break down silos, and future-proof your resilience especially in a world of AI, cloud, and systemic interdependencies. And if you're deploying AI or already looking at ISO 42001, CPS 230 gives you a clear why now.