Setting up a supplier risk management in cybersecurity: the 6 key steps

You know you need to assess the risks related to your suppliers, but you have neither the time, nor the tools, nor the processes in place. Don’t panic. Here’s a clear plan in 6 steps to start a simple, effective TPRM (Third-Party Risk Management) approach aligned with your constraints.

1. Align the approach with the company’s priorities

First of all, ask yourself why you are doing TPRM. Is it to respond to an audit, to secure sensitive data, or to comply with DORA/NIS2? This framing is essential to prioritize efforts and engage stakeholders.

🎯 What you are trying to protect (data, production, compliance) should guide how you structure the approach.

2. Clearly define responsibilities

Without an identified person or team, nothing moves. Even if you don’t have a dedicated team, designate a security or compliance referent responsible for steering.

👥 Who approves the suppliers? Who follows up? Who decides if onboarding should be blocked? Better to have imperfect governance than a total lack of framework.

3. Identify and classify your suppliers

Start by listing all your suppliers (finance, IT, procurement). Then, classify them based on their criticality: access to data, systems, business role, etc. Finally, adapt the workload to your bandwidth.

📦 You can’t do everything: focus on critical suppliers. An 80/20 approach is often the most realistic.

🗂️ Centralize information in a single table or tool (even Excel at first). The goal: see at a glance who needs to be addressed, the status of each assessment.

4. Assess the suppliers

a. Define what you want to check

Keep it simple and focused: cybersecurity, compliance (DORA, GDPR), business continuity, hosting, subcontracting. Avoid unnecessarily lengthy questionnaires.

b. Treat new and existing suppliers differently

• New suppliers: assess them before onboarding. That’s where you have leverage.

• Existing suppliers: start with the most critical ones, set a realistic pace (e.g., 1 per week/month).

c. Engage your suppliers intelligently

Explain why you are contacting them, what you expect, and what you will do with the outcome. The more transparent you are, the more responses you will receive.

📩 Prioritize clarity over complexity: a short message, a concise questionnaire, a clear deadline.

5. Manage discrepancies

The goal is not to block everyone, but to manage risk. There are two aspects:

a. With the supplier

Ask for clarifications, propose corrective actions, formalize remediation plans if necessary.

b. Internally

Accept the risk (in an informed manner), add a clause in the contract, or impose technical mitigation (segmentation, monitoring…).

📌 Keep a record of decisions: who accepted the risk, why, until when.

6. Monitor over time, according to criticality

A one-time assessment is not enough. Implement regular monitoring (annual, semi-annual…) for critical suppliers, or in case of major changes (incident, new regulation, change in service provided).

📆 A simple reminder in your calendar or tool is enough to start monitoring.

In summary

TPRM does not need to be an endless project or a bureaucratic nightmare. If you follow these 6 steps with regularity and pragmatism, you will have a robust process, aligned with your constraints, capable of withstanding an audit or an incident.