SUSAN Third-Party Risk helps organizations manage vendor risk, supplier assurance, third-party evidence, reassessment cycles and audit-ready reporting across cybersecurity, privacy and compliance workflows. Modern organizations depend on vendors, SaaS providers, processors, cloud platforms, security tools, consultants, managed service providers and business partners. These relationships create operational value, but they also create inherited risk. If vendor access, evidence, contracts, questionnaires and reassessments are not managed continuously, third-party weaknesses can become cybersecurity, privacy, regulatory and operational resilience issues.
What Is SUSAN Third-Party Risk?
SUSAN Third-Party Risk is a SUSAN module capability that helps teams manage visibility into vendor and supplier risk.
It supports:
Vendor onboarding visibility
Third-party risk assessment
Vendor questionnaires
Evidence collection
Vendor scoring
Reassessment cycles
Supplier risk tracking
Processor and vendor oversight
Compliance evidence
Audit-ready reporting
Continuous Monitoring & Evidence
Continuous Assurance
The goal is to help organizations move from point-in-time vendor reviews to more structured third-party assurance.
Why Third-Party Risk Matters
Third-party risk matters because organizations often depend on external providers that access systems, data, applications, cloud environments or business processes.
Common third-party risks include:
Excessive vendor access
Weak vendor security practices
Missing vendor evidence
Outdated questionnaires
Vendor access not reviewed
No reassessment cycle
Poor visibility into SaaS integrations
Unclear contract or DPA obligations
Weak incident notification process
Supply chain compromise
Processor risk
Limited audit evidence
A integrations
Vendor access not reviewed
Supply chain compromise
vendor may not be part of your organization, but its risk can still affect your organization.
Vendor Onboarding
Vendor onboarding should include security, privacy and compliance review before access is granted.
SUSAN Third-Party Risk can help teams structure onboarding around:
Vendor identity
Service provided
Business owner
Data access
System access
Security evidence
Privacy evidence
Contract or DPA status
Risk rating
Approval status
Reassessment date
This helps teams decide whether a vendor should be approved, restricted, reviewed further or rejected.
Vendor Questionnaires
Vendor questionnaires help organizations collect information about supplier security, privacy, compliance and operational controls.
Questionnaire areas may include:
Information security controls
Data protection practices
Access controls
Encryption
Incident response
Business continuity
Cloud security
Subprocessor use
Compliance framework alignment
Evidence availability
Breach notification process
Questionnaires should not be treated as a one-time activity. They should be reviewed and refreshed based on risk.
Evidence Collection
Third-party assurance depends on evidence.
Useful vendor evidence may include:
Security policies
Data protection documents
ISO 27001 evidence
SOC 2 reports where available
Penetration test summaries where available
Incident response process
Business continuity evidence
Privacy documentation
Subprocessor lists
DPA records
Access review evidence
Security questionnaire responses
SUSAN Third-Party Risk helps organize vendor evidence so GRC, privacy, security and audit teams can review it more effectively.
Vendor Scoring and Risk Rating
Vendor scoring helps teams prioritize which third parties need more review.
Risk rating may consider:
Data sensitivity
System access
Business criticality
Regulatory relevance
Subprocessor dependency
Security evidence quality
Open remediation actions
Reassessment results
Incident history
Geographic exposure
Contractual obligations
This helps teams focus deeper assurance on higher-risk vendors.
Reassessment Cycle
Third-party risk changes over time.
A vendor that was low risk during onboarding may become higher risk later because of:
New access
New data processing
New subprocessors
Changed services
Security incidents
Expired evidence
New compliance obligations
Contract changes
Integration changes
A reassessment cycle helps organizations review vendor risk periodically and maintain stronger assurance.
Third-Party Risk Control Map
| Third-Party Risk Area | Common Problem | SUSAN Support |
|---|---|---|
| Vendor onboarding | Vendors are approved without consistent review | Track onboarding, ownership, access and approval status |
| Questionnaires | Vendor responses are inconsistent or outdated | Manage questionnaires and reassessment workflows |
| Evidence collection | Vendor evidence is spread across emails and folders | Organize vendor evidence for audit readiness |
| Vendor scoring | Teams cannot prioritize high-risk vendors | Support vendor scoring and risk rating |
| Access visibility | Vendor access is unclear or excessive | Link vendors to systems, data and business owners |
| Reassessment | Vendor risk is reviewed only once | Track reassessment cycles and evidence freshness |
| Compliance impact | Vendor risk is not linked to regulatory obligations | Map third-party risk to compliance and audit evidence |
| Incident readiness | Supplier incidents cause delayed response | Support incident evidence, contacts and escalation visibility |
Vendor Risk and Compliance
Third-party risk is closely connected to compliance.
Vendor and processor oversight may support areas such as:
GDPR
UK GDPR
India DPDP Act
ISO 27001
SOC 2
DORA
NIS2
Supply chain security expectations
Customer security reviews
Contractual obligations
Compliance teams need evidence that vendors are reviewed, risks are tracked and ownership is clear.
Vendor Risk and Cybersecurity
Vendor risk is also a cybersecurity issue.
Third parties may have:
Access to systems
API integrations
OAuth access
Cloud access
Data processing rights
Administrative permissions
Support access
Managed service access
Security teams should understand which vendors can access which systems, what data they process and what controls apply.
How SUSAN Third-Party Risk Connects with Other SUSAN Modules
SUSAN Third-Party Risk connects with other SUSAN capabilities including Global Compliance & Trust, AI Risk Scoring, Continuous Monitoring & Evidence, Unified GRC Dashboard, Asset Inventory, Data Inventory and Classification and DPDP Compliance.
Together, these capabilities help organizations connect:
Vendor inventory
Vendor evidence
Vendor scoring
Third-party access
Vendor questionnaires
Data processing visibility
Compliance obligations
Remediation ownership
Audit-ready reporting
Continuous Assurance
Who Uses SUSAN Third-Party Risk?
This module is useful for teams responsible for supplier assurance, privacy, security and compliance.
Primary users include:
GRC teams
Vendor risk managers
Procurement teams
Privacy teams
DPOs
Security teams
CISOs
Audit teams
Legal and compliance teams
Business owners
Executive leadership
These teams use third-party risk workflows to improve vendor assurance, accountability and evidence visibility.
Third-Party Risk Readiness Checklist
Use this checklist to assess third-party risk maturity:
- Do you maintain a vendor inventory?
- Are vendors assigned business owners?
- Do you know which vendors access systems or data?
- Are vendor questionnaires collected and reviewed?
- Is vendor evidence stored centrally?
- Are vendor risks scored or tiered?
- Are high-risk vendors reviewed more deeply?
- Are reassessment cycles defined?
- Are vendor access rights reviewed?
- Are DPAs or contractual obligations tracked?
- Are vendor incidents escalated quickly?
- Are third-party risks linked to compliance obligations?
- Is audit-ready vendor evidence available?
- Can leadership see vendor risk status?
If several answers are no, the organization may need stronger third-party risk visibility.
FAQ
Most frequent questions and answers
SUSAN Third-Party Risk is a SUSAN module capability that helps organizations manage vendor onboarding, assessments, questionnaires, evidence, scoring, reassessment and audit-ready reporting.
Third-party risk is important because vendors, suppliers, processors and SaaS providers may access systems, data or business processes and can introduce cybersecurity, privacy and compliance risk.
Vendor risk management is the process of identifying, assessing, monitoring and reviewing risks created by third-party providers.
Useful evidence may include security policies, questionnaires, certifications or assurance reports where available, incident response processes, privacy documentation, DPA records and access review evidence.
A vendor reassessment cycle is a recurring review of vendor risk, evidence, access, services and compliance status after onboarding.
It helps teams track vendors and processors, evidence, data access, privacy obligations and reassessment workflows that may support DPDP and GDPR readiness.
SUSAN supports continuous third-party assurance by helping teams track vendor risk, evidence, reassessment, remediation ownership, compliance impact and audit-ready reporting.
Third-party risk should not be managed only through spreadsheets, emails or one-time onboarding reviews.
Explore SUSAN Third-Party Risk to improve vendor assurance, evidence visibility, reassessment workflows, compliance readiness and Continuous Assurance.
