TPRM Fundamentals

TPRM Lifecycle — The 5 Phases of Third Party Risk Management

The TPRM lifecycle structures the entire lifecycle of a supplier relationship — from initial risk assessment at onboarding to secure offboarding.

Without a defined TPRM lifecycle, blind spots emerge: new suppliers are not assessed, existing ones not monitored, and departing ones not securely offboarded. 360TPRM digitalises the entire lifecycle.

Phase 1: Onboarding & Initial Assessment

Every new supplier goes through a structured initial assessment: criticality classification (critical / important / standard), initial cyber intelligence check by 360TPRM (darknet, CVEs, exposure), due diligence questionnaire by criticality tier, contract review for NIS2/DORA requirements. 360TPRM automates onboarding and delivers a first intelligence score within minutes.

No supplier without assessment

NIS2 Art. 21(d) and DORA Art. 28 require a security assessment before contract signing. 360TPRM makes this scalable — even for hundreds of suppliers simultaneously.

Phase 2: Continuous Monitoring

After onboarding, continuous monitoring begins — the core of the TPRM lifecycle. 360TPRM monitors daily: new CVEs in the supplier's technology stack, darknet leaks and credential compromises, changes in attack surface (new open ports, misconfigurations), regulatory changes and sanctions list checks. Alert on anomalies — prioritised by criticality.

Questionnaires are not enough

An annual questionnaire shows yesterday's status. 360TPRM monitors in real time — and warns before a compromised supplier becomes your own risk.

Phase 3: Reassessment & Escalation

At defined intervals (annually for critical suppliers) or when anomalies are detected, a reassessment is conducted: updated cyber intelligence assessment, new focused questionnaire, escalation for critical findings (CISO, management), contract adjustment if necessary. 360TPRM documents all reassessments in an auditable trail.

Phase 4: Offboarding

The offboarding process is the most often forgotten part of the TPRM lifecycle — with significant risk potential: revoke access (IT access, API keys, VPN), retrieve data and obtain deletion confirmation, document contract termination, assess residual risks. 360TPRM guides structured offboarding.

Phase 5: Continuous Improvement

The TPRM lifecycle is not a linear process but a cycle: lessons learned from incidents and assessments, adjustment of criticality criteria, framework updates for new regulations (NIS2 updates, DORA guidelines), benchmarking against industry standards. 360TPRM provides analytics and reporting for management review.

FAQ

What is the TPRM lifecycle?+

The TPRM lifecycle describes the structured management process for third parties — from initial assessment at onboarding through continuous monitoring to offboarding. It ensures no supplier remains uncontrolled.

How many phases does a TPRM lifecycle have?+

Typically 4–5 phases: onboarding, monitoring, reassessment, offboarding and continuous improvement. 360TPRM digitalises all phases in one platform.

What does NIS2 require for the TPRM lifecycle?+

NIS2 Art. 21(d) requires security measures for the supply chain — including assessment before contract signing and ongoing monitoring. DORA Art. 28 goes further with detailed requirements for ICT third-party service providers.

How do you automate the TPRM lifecycle?+

360TPRM automates core workflows: automatic intelligence scores at onboarding, daily monitoring with alert system, reassessment triggers at threshold breaches, structured offboarding process.

Digitalise TPRM Lifecycle with 360TPRM

See in a 45-minute demo how 360TPRM specifically meets your requirements.

Request free demo →