Computing, IT Systems, and Emerging Technologies

Third-Party Cyber Risk Management Training Course

Third-party cyber risk management is now a board-level concern because vendors, cloud providers, SaaS platforms, and outsourced service chains expand your attack surface faster than internal controls can catch up. Third-party cyber risk management is the discipline of identifying, assessing, treating, and monitoring cyber exposure created by external suppliers and service providers. It enables professionals to classify vendor risk, evaluate security controls, and build continuous monitoring and reporting processes. In practice, you need to work with ISO/IEC 27001:2022 control expectations, NIST Cybersecurity Framework 2.0, and structured due diligence workflows while AI-assisted vendor scoring and continuous monitoring reshape how security teams and procurement functions operate. This course is designed for third-party risk analysts, cyber risk managers, vendor governance leads, procurement specialists, information security officers, and compliance professionals who need to produce risk tiering matrices, due diligence questionnaires, control gap assessments, remediation plans, and executive risk reports. TrainingCred’s third-party cyber risk management training gives you a practical bridge from scattered vendor oversight to evidence-based decisions that reduce exposure and improve accountability.

Duration
5 Days
Duration
Certificate
Certificate
Included
Delivery
Instructor-Led
Delivery
Level
Intermediate
Level
Download Brochure

Choose Your Preferred Training Format

Training Options

Reserve Your Spot Today — Pay When You're Ready!

Classroom Training

In-person sessions at premier locations

Nairobi Kenya
Mon - Fri
5 Days
USD 1,600
View Sessions
Kigali Rwanda
Mon - Fri
5 Days
USD 1,900
View Sessions
Dubai United Arab Emirates (UAE)
Mon - Fri
5 Days
USD 4,100
View Sessions
Zanzibar Tanzania
Mon - Fri
5 Days
USD 2,400
View Sessions
Customized Content
Team Training
Flexible Dates

In-person training at our premier venues — pick a city and date that works for you.

Location Duration Fee Language
Nairobi, Kenya Mon - Fri (5 Days) USD 1,600 English See dates & reserve →
Kigali, Rwanda Mon - Fri (5 Days) USD 1,900 English See dates & reserve →
Dubai, United Arab Emirates (UAE) Mon - Fri (5 Days) USD 4,100 English See dates & reserve →
Zanzibar, Tanzania Mon - Fri (5 Days) USD 2,400 English See dates & reserve →
Abuja, Nigeria Mon - Fri (5 Days) USD 2,800 English See dates & reserve →
Addis Ababa, Ethiopia Mon - Fri (5 Days) USD 2,400 English See dates & reserve →
Mombasa, Kenya Mon - Fri (5 Days) USD 1,700 English See dates & reserve →
Cape Town, South Africa Mon - Fri (5 Days) USD 3,900 English See dates & reserve →
Johannesburg, South Africa Mon - Fri (5 Days) USD 3,500 English See dates & reserve →
Kampala, Uganda Mon - Fri (5 Days) USD 1,900 English See dates & reserve →
Pretoria, South Africa Mon - Fri (5 Days) USD 3,300 English See dates & reserve →
Lagos, Nigeria Mon - Fri (5 Days) USD 2,500 English See dates & reserve →
Arusha, Tanzania Mon - Fri (5 Days) USD 2,000 English See dates & reserve →
Dar es Salaam, Tanzania Mon - Fri (5 Days) USD 1,900 English See dates & reserve →
Accra, Ghana Mon - Fri (5 Days) USD 3,800 English See dates & reserve →
Bangalore, India Mon - Fri (5 Days) USD 4,200 English See dates & reserve →
Muscat, Oman Mon - Fri (5 Days) USD 4,300 English See dates & reserve →
Naivasha, Kenya Mon - Fri (5 Days) USD 1,700 English See dates & reserve →

Live, instructor-led sessions you can join from anywhere — pick the next start date below.

Code Start Date End Date Duration Fee
No Data

Our instructor comes to your office — same curriculum and accredited certificate, with case studies built around the work your team actually does.

Team Training

Train your entire team together in a familiar environment for better collaboration

Fully Customized

Content tailored to your industry, tools, and specific business challenges

Cost Effective

Save on travel & accommodation costs when training multiple employees

Flexible Scheduling

Choose dates that work best for your team's availability and projects

How It Works
1
Request a Quote

Tell us about your team size, preferred dates, and training goals

2
Get a Custom Proposal

Receive a tailored training plan and competitive pricing within 24 hours

3
We Come to You

Our certified trainer arrives ready to deliver impactful, hands-on training

Ready to upskill your team on Third-Party Cyber Risk Management Training?

No commitment required · Response within 24 hours

What You'll Master in This Training

Built by industry pros — practical insights, real-world examples, and strategies you can apply immediately.

Module 1: Third-Party Cyber Risk Fundamentals

  • Third-party cyber risk management lifecycle
  • Supplier, vendor, and subcontractor exposure
  • Shared responsibility in cloud services
  • Attack surface expansion through external access
  • Exercise: Map a third-party inventory and criticality log
  • Vendor inventory scoping and ownership
  • Criticality scoring for business services
  • Risk tiering models for suppliers
  • Questionnaire design and intake workflows
  • Exercise: Create a vendor tiering matrix
  • ISO/IEC 27001:2022 control alignment
  • Annex A supplier relationship controls
  • Security policy and evidence validation
  • Residual risk and compensating controls
  • Exercise: Build a supplier control gap assessment
  • NIST Cybersecurity Framework 2.0 governance
  • Identify, protect, detect, respond, recover
  • Due diligence questionnaire evidence review
  • Risk acceptance and exception handling
  • Exercise: Draft a due diligence review summary
  • Security clauses in supplier contracts
  • Service level and incident notification terms
  • Right-to-audit and assurance rights
  • Data processing and access restrictions
  • Exercise: Redline a vendor security clause pack
  • Continuous monitoring dashboards
  • Security ratings and external exposure signals
  • AI-assisted vendor screening concepts
  • Automated renewal and exception alerts
  • Exercise: Design a vendor monitoring dashboard
  • Board-level third-party risk reporting
  • KRI and KPI design
  • Remediation tracking and risk acceptance logs
  • Procurement and security governance cadence
  • Exercise: Create an executive third-party risk report

Drop Us a Query

Fill out the form below and we'll get back to you.

About the Course

Organizations do not get judged on intent in third-party cyber risk management. They get judged on whether they can prove they know which vendors hold sensitive data, which providers touch critical services, and which relationships create unacceptable residual risk. To do that credibly, you need to demonstrate vendor inventory discipline, risk tiering, due diligence review, control validation, contract risk review, and continuous monitoring, all of which map naturally to ISO/IEC 27001:2022, NIST Cybersecurity Framework 2.0, and shared responsibility thinking across the supplier ecosystem.

This third-party cyber risk management training turns fragmented vendor oversight into a structured operating model. You will practice building a third-party inventory, drafting a risk classification model, evaluating security questionnaires, mapping contractual control expectations, and creating a monitoring dashboard that leadership can act on. You will also be introduced to AI-assisted vendor screening, external attack surface signals, and automated workflow tools at an operational level so you can understand where they fit without overpromising their maturity in your environment. This course teaches third-party cyber risk management through practical templates and case-based exercises so you can produce vendor risk registers, assessment summaries, remediation trackers, and board-ready reporting.

The course is built for professionals who must deliver under real constraints, including limited supplier visibility, inconsistent questionnaire quality, procurement pressure, repeated renewals, and uneven maturity across business units. It is especially relevant when you need to balance speed of onboarding with security assurance, maintain defensible records for audits, and align procurement, legal, security, and business owners without slowing operations unnecessarily.

Target Audience

This course is built for professionals who already touch vendor oversight, cyber governance, procurement controls, or security assurance and now need a structured third-party cyber risk management approach.

  • Third-Party Risk Analysts tracking vendor security posture and tiering decisions
  • Cyber Risk Managers defining assessment scope and residual risk treatment
  • Vendor Governance Leads coordinating supplier reviews and remediation tracking
  • Procurement Specialists embedding cyber clauses into supplier onboarding
  • Information Security Officers validating control expectations across external service providers
  • GRC Analysts maintaining questionnaire evidence and risk registers
  • Third-Party Due Diligence Coordinators managing intake and escalation workflows
  • Compliance Managers aligning supplier oversight with ISO/IEC 27001:2022 expectations
  • IT Vendor Managers monitoring renewal risk and service criticality
  • Business Continuity Managers reviewing supplier dependency and resilience exposure

Course Objectives

This course equips you to plan, execute, and measure third-party cyber risk management initiatives that reduce vendor exposure, strengthen control oversight, and support defensible reporting.

  • Assess vendor exposure using a third-party risk register and criticality scoring model.
  • Apply risk-tiering methods to supplier due diligence and onboarding decisions.
  • Design a vendor questionnaire aligned with ISO/IEC 27001:2022 control expectations.
  • Build a remediation tracker for security gaps, exceptions, and compensating controls.
  • Evaluate supplier controls against NIST Cybersecurity Framework 2.0 and contract clauses.
  • Navigate procurement, legal, and security approvals for high-risk vendor relationships.
  • Implement continuous monitoring indicators using external attack surface and scorecard data.
  • Synthesize findings into executive dashboards and board-ready third-party risk reports.

Requirements & Prerequisites

Participants should have working knowledge of cybersecurity fundamentals, vendor or procurement processes, and basic risk concepts such as likelihood, impact, and residual risk. Prior exposure to ISO/IEC 27001:2022, NIST Cybersecurity Framework 2.0, or enterprise third-party due diligence processes is helpful but not mandatory. No programming is required, and all analytics activities use guided spreadsheets, templates, and reporting artifacts. The course works best for professionals who already review suppliers, assess controls, or support governance, risk, and compliance workflows.

Local Application and Business Return in your market

How participants can apply the training in local operating conditions, and the return their organisation can plan for.

How participants apply this

Participants apply this course by building a vendor inventory, assigning risk tiers, and selecting the right depth of due diligence for each supplier based on data access and business criticality. They then use questionnaires, evidence reviews, and control gap assessments to decide whether a vendor is acceptable, needs remediation, or should be rejected. In day-to-day work, they also translate cyber findings into procurement requirements, contract clauses, and escalation reports that decision-makers can act on. For ongoing oversight, they set review cycles and monitoring triggers so that risk is updated when a vendor’s posture, access, or service scope changes.

Expected ROI

Within 6 to 12 months, organizations usually see fewer ad hoc vendor reviews and faster onboarding because assessment templates and risk tiers are standardized. They also tend to improve visibility into which suppliers actually hold sensitive data or privileged access, which supports better prioritization of remediation and monitoring effort. Another common outcome is stronger audit readiness, since teams can show consistent evidence of due diligence, approvals, and follow-up actions. The business value is less wasted review time and fewer avoidable surprises from under-assessed suppliers.

Training Methodology

This is a practical, outcome-driven course designed to turn third-party cyber risk management aspiration into measurable action and credible reporting.

Methodology includes:

  • Calculate vendor risk scores using a guided third-party risk register and weighted scoring sheet.
  • Simulate a high-risk SaaS onboarding decision with security, procurement, and legal constraints.
  • Assess a supplier against ISO/IEC 27001:2022-aligned due diligence and control checklist.
  • Map stakeholders, approvals, and escalation paths across procurement, security, legal, and business owners.
  • Analyze case patterns from financial services, healthcare, technology, and manufacturing supply chains.
  • Build a remediation tracker and monitoring dashboard under time and budget constraints.
  • Review benchmark evidence from vendor scorecards and external exposure signals to challenge current practice.

Upcoming Sessions

Next available dates worldwide

No international sessions scheduled

Certification

Recognized credentials that advance your career

Participants who complete the Third-Party Cyber Risk Management Training Program earn a Trainingcred Certificate of Achievement, demonstrating professional competence and alignment with global standards in learning and development.

NITA Accredited

Accredited by the National Industrial Training Authority, ensuring programs meet nationally recognized standards of quality and relevance.

CPD Certified

Recognized by the CPD Certification Service, ensuring every program meets internationally benchmarked standards of professional excellence.

Each certification reflects practical expertise, strategic insight, and readiness to excel in today's competitive, fast-evolving workplace.

Why this course earns its place on your CV

Accredited training, practitioner trainers, and peers on the same career track — the three things real expertise is built on.

Effective Learning & Skill Development

  • Build expertise with structured, outcome-driven learning.
  • Equip individuals and teams with skills that grow with industry needs.
  • Reinforce learning through real-world scenarios, case studies and practical exercises.

Career Growth & Professional Advancement

  • Apply what you learn with a proven methodology that ensures lasting impact.
  • Develop immediately usable skills that translate directly into workplace success.
  • Gain the expertise needed for career advancement and leadership roles.

Training Optimization & Learning Excellence

  • Tailor training to industry-specific challenges and organizational goals.
  • Use data-driven insights and automation to enhance training effectiveness.
  • Evaluate progress and ensure long-term learning success.

Tools and platforms relevant to this field

Examples local teams may encounter, and that may be featured in training where they support the confirmed course scope.

4

These are field-relevant examples, not a promise that every tool will be covered. Exact coverage depends on the confirmed course scope, participant needs, and delivery format.

  • ServiceNow Vendor Risk Management ServiceNow
    Used to centralize vendor assessments, track remediation, and maintain a repeatable third-party risk workflow across procurement and security teams.
  • BitSight Security Ratings BitSight
    Used for continuous external monitoring of vendor cyber posture and to help prioritize suppliers that require deeper review.
  • OneTrust Third-Party Risk Management OneTrust
    Used to manage due diligence questionnaires, risk tiering, approvals, and ongoing vendor reassessments in a single workflow.
  • Archer Third-Party Risk Management Archer
    Used by governance, risk, and compliance teams to document vendor inventories, control gaps, and executive-level risk reporting.

Real Results from Real Professionals

Thousands of professionals have transformed their careers through our training programs. Now, it's your turn.

View All Reviews

Local market advisory

Course relevance for your market

A country-specific view of market pressure, regulatory context, and practical business return behind this training.

  • Market context
  • Regulatory fit
  • Business application

Why this course matters in your market

A market-specific advisory on the operating pressures this course helps teams address.

Third-party cyber risk management matters in the United States because organizations rely heavily on cloud platforms, SaaS providers, managed service firms, and outsourced operational partners, which means a vendor weakness can become a direct cyber incident. It is especially relevant for security, procurement, legal, compliance, and risk teams that must decide which vendors can be trusted with data, network access, or business-critical processes. The practical value of this training is better vendor tiering, stronger due diligence, and more defensible monitoring and remediation decisions across the vendor lifecycle. It helps leaders choose where to invest controls, contract terms, and oversight effort based on actual exposure rather than assumption.
Board-level oversight is now expected

U.S. organizations are under increasing pressure to show that third-party cyber risk is tracked at the same level as internal security risk, which makes executive reporting and governance skills directly relevant.

Cloud and SaaS expand the attack surface

Because many critical business services now sit outside the perimeter, teams need a repeatable way to map vendor access, classify sensitivity, and monitor changes over time.

Procurement and security must share ownership

This course is useful where vendor selection, contracting, and ongoing assurance are split across functions, since it gives both technical and non-technical teams a common risk language.

The training is timely because U.S. organizations are operating in an environment where vendor sprawl, remote service delivery, and continuous cloud adoption make point-in-time questionnaires insufficient. Teams need practical methods for continuous monitoring, contract-driven controls, and risk reporting that can support faster business decisions without increasing exposure.

Regulatory context in your market

The local regulators, laws, and frameworks shaping this discipline, with the curriculum mapped to what teams need to know.

6

Regulators

  • CISA CISA matters because U.S. organizations use its guidance to strengthen supply-chain and third-party cyber resilience practices.
  • SEC The SEC matters for public companies that must govern cyber risk and explain material exposure, including risks arising from third parties.
  • FTC The FTC matters for organizations handling consumer data, where vendor oversight is part of reasonable security expectations.
  • OCC The OCC matters for national banks and federal savings associations that must manage outsourced technology and service-provider risk.
  • Federal Reserve The Federal Reserve matters for supervised financial institutions that rely on vendors, processors, and critical technology providers.
  • FDIC The FDIC matters for insured banks that need disciplined vendor oversight as part of safety-and-soundness and cyber risk management.

Frameworks the course aligns with

  • 01 Gramm-Leach-Bliley Act · 1999
  • 02 Sarbanes-Oxley Act · 2002
  • 03 Health Insurance Portability and Accountability Act · 1996
  • 04 California Consumer Privacy Act · 2018

Frequently Asked Questions

Got questions? We've gathered the answers to common queries to help you feel confident and informed.

It is most useful for vendor risk analysts, security leaders, procurement teams, compliance staff, and governance professionals who review third-party access or evidence. It is also relevant for anyone who has to explain vendor cyber risk to executives or boards in a structured way.

General vendor management can include commercial, legal, and service-quality issues, while third-party cyber risk management focuses specifically on security exposure created by external parties. The course teaches participants how to assess controls, access, data sensitivity, and monitoring needs rather than only service performance.

They should be able to create vendor risk tiering matrices, due diligence questionnaires, control gap assessments, remediation plans, and executive risk summaries. Those outputs help turn scattered vendor data into a consistent decision-making process.

Yes. A key part of the discipline is moving beyond one-time onboarding checks to ongoing monitoring of vendor posture, access, and changes in risk status. That makes it easier to spot when a supplier needs a reassessment or escalation.

Trusted by 100+ organizations across 40+ countries

Premier Bank
Amnesty International
UNDT SACCO
UNFPA
USAID
AMREF Health Africa
KENTRADE
CPF
UFIA
UNICEF
Central Bank of Kenya
UNDP
GIZ
Premier Bank
Amnesty International
UNDT SACCO
UNFPA
USAID
AMREF Health Africa
KENTRADE
CPF
UFIA
UNICEF
Central Bank of Kenya
UNDP
GIZ
Barbours
Bank of Rwanda
RFA
Dahabshil Bank
Dorcas Aid
Finn Church Aid
KCB Foundation
Ministry of Education Saudi Arabia
NSSF Uganda
RBA
Reserve Bank of Malawi
WASREB Kenya
Virginia Commonwealth University
Barbours
Bank of Rwanda
RFA
Dahabshil Bank
Dorcas Aid
Finn Church Aid
KCB Foundation
Ministry of Education Saudi Arabia
NSSF Uganda
RBA
Reserve Bank of Malawi
WASREB Kenya
Virginia Commonwealth University