Blog  |  News Third-party risk management in 5 Steps

In today’s digital world, where companies are increasingly dependent on external parties, third-party risk management is essential.

In today’s digital world, where companies are increasingly dependent on external parties, third-party risk management is essential. Especially for subject NIS2 companies, which face stringent security requirements, a solid third-party risk management programme is of great importance. In this blog, we explore the steps that can be taken to effectively manage third-party risk and protect companies from supply chain security threats.

Why third-party risk management?

Third parties, such as suppliers and partners, have access to organisations’ valuable data and systems. This makes them a potential target for cyber-attacks and a source of risk to the organisation’s cybersecurity. It is therefore vital to identify and manage the risks arising from these external relationships via third-party risk management.

Step 1: Due Diligence Before Signing

Before signing a contract, thorough due diligence should be conducted on the third party’s security measures. This step is essential to ensure that the third party meets the same security standards as your organisation. This includes asking questions about the third party’s security protocols and checking their response and notification plans for potential breaches.

Step 2: Build security into supplier contracts

Once there is confidence in the third-party vendor’s security measures, it is time to capture these measures in an agreement. This agreement should protect both your organisation and the third party and include measures such as phishing tests and penetration tests. It is also important to sign a strict confidentiality agreement to regulate access controls.

Step 3: Formalise Responsibilities and Decision Criteria

A formal allocation of rules, roles, and responsibilities is essential for an effective risk management programme. This includes identifying parties involved in the process and stakeholders who will be notified of changes and results. Clearly defined decision criteria are critical to make risk-based decisions during unexpected situations.

Step 4: Continuous Vulnerability Assessment

Taking stock of third parties and their security status is just the beginning. Ongoing assessments and audits are needed to monitor security status and provide internal and external auditors with relevant information. Regular monitoring allows you to respond to and resolve security vulnerabilities immediately.

Step 5: Effective Termination Process

Third-party risk management does not end when a contract expires. Even after the termination of a partnership, third parties may still have access to sensitive data and systems. A well-planned termination process is essential in your third-party risk management to ensure that all access privileges are revoked and data is deleted.


Third-party risk management is a critical component of a holistic cybersecurity strategy for NIS2 companies. By following the steps outlined in this blog, organisations can effectively manage third-party risks and increase their level of security. For more in-depth insights and tailored advice, read our white paper and contact Bow Tie Security.

Cybersecurity Best Practices for Firms Outside the NIS2 Scope but Connected to Those Within

Reliable guidance for supply chain cybersecurity and NIS2 compliance