Third Party InfoSec Risk Playbook

Effectively managing information security risk arising from third party relationships is an essential aspect of GRC capability that drives successful attainment of Principled Performance.

It is a key “play in the game” so we have developed this Principled Performance Playbook to address the issue and provide the reader with some essential guidance and tools to get started. Just like a football playbook, this document outlines the steps to take – or plays – and sets up the structure for assignment of the various tasks to those in your organization.

Although this playbook focuses on third party cybersecurity risk, third parties can present other risks that impact your company reputation such as ethics/integrity, product/service quality or business continuity. This Playbook takes a deep dive into one discrete aspect – the third party risk assessment process for controlling information security risk. The process is illustrated in the context of information security training – one of many information security vulnerabilities. It provides three play sheets that outline key actions, which should be adapted to fit the specific risks you are assessing.