II.
Workflow overview
Reference · liveworkflow:third-party-risk-assessment
Third-Party Risk Assessment overview
Assesses risk exposure from third-party vendors, partners, and service providers -- distributing security questionnaires and evaluating responses against organizational standards, reviewing SOC 2 and ISO 27001 attestation reports for control coverage, assessing data-handling practices and sub-processor chains for GDPR compliance, evaluating business-continuity and disaster-recovery capabilities, scoring vendors on a composite risk matrix incorporating financial stability, concentration risk, and geopolitical factors, and defining residual-risk acceptance or mitigation requirements. Produces third-party risk assessment report and risk-tier classification. Excludes contract negotiation.
Attributes
displayName
Third-Party Risk Assessment
workflowKind
governance
triggerType
event-driven
typicalCadence
per-vendor
complexity
cross-team
description
Assesses risk exposure from third-party vendors, partners, and service
providers -- distributing security questionnaires and evaluating
responses against organizational standards, reviewing SOC 2 and ISO
27001 attestation reports for control coverage, assessing data-handling
practices and sub-processor chains for GDPR compliance, evaluating
business-continuity and disaster-recovery capabilities, scoring vendors
on a composite risk matrix incorporating financial stability,
concentration risk, and geopolitical factors, and defining residual-risk
acceptance or mitigation requirements. Produces third-party risk
assessment report and risk-tier classification. Excludes contract
negotiation.
Outgoing edges
applies_to_domain3
- domain:security·DomainSecurity
- domain:operations·DomainOperations
- domain:legal·DomainLegal
involves_role3
- role:security-reviewer·RoleSecurity Reviewer
- role:planner·RolePlanner
- role:license-auditor·RoleLicense Auditor
performed_by_org_unit3
- org-unit:risk-management-team·OrgUnitRisk Management Team
- org-unit:security-team·OrgUnitSecurity Team
- org-unit:procurement-team·OrgUnitProcurement Team
requires_skill_area2
- skill-area:threat-modeling·SkillAreaThreat Modeling
- skill-area:identity-security·SkillAreaIdentity & Access Security
triggers_responsibility2
- responsibility:vendor-evaluation·ResponsibilityVendor Evaluation
- responsibility:security-review·ResponsibilitySecurity review
Incoming edges
None.