Third party and supplier risk management.
Right first time.

Control the cyber risk associated with critical third party relationships.

Third Party Risk Management by CRMG

CRMG’s Third Party Risk Management service uses a triage approach to accurately identify the cyber risk implications of working with third parties (most often suppliers, but the logic can apply to any partner or third party organisation), based on the specific product or service offered, the data sharing required, and the contract terms.

Our approach provides a clear picture of cyber security control gaps, indicating the level of risk they pose, and provides you with recommendations for remediation, directing you to apply appropriately rigorous measures.

The result — all the data you need to make informed decisions on onboarding new third parties, renegotiating current supply contracts, and terminating high-risk relationships.

Conduct deep-dive tailored assessments into your most critical relationships

Assess third party cyber risk quickly, accurately and efficiently

Evaluate existing arrangements and prioritise necessary changes

Focus your resources on relationships posing the greatest risk

Create tailored supplier questionnaires based on your chosen security standard

Embed a third party cyber risk assurance process that fits current and future needs

Third Party Risk Management by CRMG – Developed by practitioners for practitioners.

Speak To An Expert

How it works

CRMG employs a four-stage process to help you quickly and effectively gather information, identify risk and manage new and current relationships.


Initial Assessment – we use a triage technique to identify all factors which impact the risk profile of a product or service to be procured, including data transfer and storage, payment handling, hosting infrastructure, and more.


Third Party Assessment – We produce a tailored supplier questionnaire for each vendor which aligns with your chosen security standard (ISO, NIST, custom), and explores an appropriate level of detail based on business risk.


Assessment Report – you receive tailored reports for each third party which highlight the level of cyber risk exposure, the control gaps which need to be addressed, and the specific cyber security measures which will be most effective.


Input to Procurement/Legal – using the output reports, you’ll be able to negotiate vendor contracts that reflect the inherent cyber risk of each individual third party relationship.

How it helps

Once you have worked through the CRMG Third Party Risk Management process for each of your critical third party relationships, here’s what you can expect:

You’ll have a clear view of the information shared with each third party or supplier, and the associated cyber risk in each case.

You’ll be able to quickly and effectively review current third-party relationships, remediating or terminating contracts where needed to reduce your exposure.

You’ll have the tools to make informed decisions on onboarding new vendors and understand the risk implications of each new relationship.

You’ll be able to achieve optimal protection levels, based on real business risk, without imposing unnecessary burdens on suppliers. 

If that’s where you want to be, let’s talk about how we get there.

CRMG Third Party Risk Management in practice — energy

A regional energy company, with a wide range of suppliers of varying levels of maturity regarding cyber security, was concerned about potential cyber exposure via supplier relationships.

CRMG worked with the client to categorise suppliers based on the business criticality of the relationship and applied the Third Party Risk Management approach to implement a simple triage approach, determining the extent to which individual suppliers should be subjected to cyber security scrutiny.

This enabled the organisation to apply a ‘light touch’ to less critical suppliers and greater rigour to those that presented increased cyber risk. 

A process for monitoring the ongoing cyber risk status of existing suppliers was implemented, and CRMG trained information security, procurement and legal personnel to apply the new vendor assurance process.

The result — the company reduced costs while lowering cyber risk overall. The new process focuses on minimising supplier-introduced risk while reducing the admin overhead for less critical suppliers.

Find out more

Third Party Risk Management by CRMG is designed for organisations in any sector, sharing business-critical information with vendors or other third-parties.

If you’re ready to get started, set up a call with one of our expert advisors today.