NOXVERI Service

Third party cyber risk and vendor security assessment

Most TPRM programmes are built on questionnaires. Questionnaires tell you what suppliers say about themselves. NOXVERI evaluates what is actually in place — and whether it is adequate for the risk the supplier represents to your organisation.

TPRM Third Party Risk Vendor Assessment Supply Chain Security NIS2 DORA ISO 27001

The problem with standard TPRM

Questionnaires don't manage risk — they document it

Asking a supplier to fill in a security questionnaire and reviewing their ISO 27001 certificate is not third party risk management. It is the illusion of risk management. The uncomfortable reality is that most TPRM programmes create false assurance rather than genuine risk reduction.

Self-reported data is unreliable by design — questionnaire responses reflect what a supplier believes (or wants to project) about their security, not what an independent assessment would find. Suppliers optimise for passing the questionnaire, not for improving controls. A certificate from a third-party audit tells you the controls were adequate on audit day, under audit conditions.
The real risk lives in operational dependencies — your exposure to a supplier is a function of what they can access, what they process, and what happens to your operations if they fail or are compromised. Most TPRM frameworks don't map this with the granularity required to make meaningful risk decisions.
Not all suppliers are equal — but most are treated as if they are — applying the same questionnaire process to your critical cloud infrastructure provider and your office supplies vendor produces noise, not insight. Without supplier classification based on actual criticality and exposure, the programme is administratively complete and operationally useless.
Incidents happen through the supply chain — attacks via trusted suppliers, software dependencies and shared infrastructure are a well-documented attack vector. The organisations affected often had formal TPRM programmes. The programmes just weren't designed to catch the risks that materialised.

The question worth asking: if your most critical supplier were compromised today, would your TPRM programme have surfaced that as a high-risk scenario? If the honest answer is no, the programme is not managing risk — it is managing paperwork.

NOXVERI approach

Risk-based, not process-based

NOXVERI treats TPRM as a risk management exercise, not a compliance process. The objective is an accurate picture of supplier risk and actionable decisions — what to require, what to monitor, when to escalate and when a supplier relationship needs to be reconsidered.

Step 1

Supplier inventory and classification

Building or validating the supplier register — who has access to what, what they process, what operational dependency exists and what the exposure profile looks like. Classification by criticality and risk tier provides the foundation for proportionate assessment. Not every supplier warrants the same depth of scrutiny; the programme should reflect that.

Step 2

Security assessment of critical suppliers

For suppliers in high-risk tiers, NOXVERI conducts assessments that go beyond questionnaire review. This means evaluating actual controls: how access is managed, how incidents are handled, what security testing is in place and how results are acted on, what subprocessor dependencies exist. The assessment is calibrated to the exposure profile — what matters for this supplier, given what they touch.

Step 3

Risk model and actionable recommendations

Assessment findings are translated into a risk model specific to the organisation — not a generic severity rating, but a view of what the risk means in context. Recommendations cover what to require from suppliers (contractually and operationally), how to structure ongoing monitoring, what thresholds should trigger escalation, and where supplier relationships carry unacceptable residual risk.

Output, not process: the engagement delivers a supplier risk register with assessed tiers, a gap analysis against regulatory and contractual requirements, and a set of specific, prioritised actions. The organisation ends the engagement knowing which suppliers represent genuine risk and what to do about it.

Regulatory context

Supply chain security is a regulatory requirement, not a best practice

Three major frameworks — NIS2, DORA and ISO 27001 — now treat third party risk management as a mandatory element of a functioning security programme. The bar has risen from "have a process" to "demonstrate it works."

NIS2 · Art. 21

Supply chain security obligations

NIS2 Article 21 explicitly lists supply chain security — including security in supplier relationships — as a required cybersecurity risk management measure. Essential and important entities must address risks in their supply chains and in the relationships with direct suppliers. This includes assessing the overall security practices of suppliers and evaluating ICT products and services used.

In practice: regulators will ask for evidence of supplier risk assessment, not just a policy that says it happens.

DORA · Chapter V

ICT third-party risk management

DORA Chapter V establishes a detailed framework for managing ICT third-party risk in the financial sector. Obligations include: maintaining a register of all ICT third-party arrangements, conducting due diligence before engagement and on an ongoing basis, ensuring contractual arrangements meet minimum content requirements (exit strategies, audit rights, incident notification), and specific rules for arrangements with Critical Third-Party Providers (CTPPs).

The European Supervisory Authorities are actively reviewing ICT third-party risk management as a supervisory priority.

ISO 27001 · Annex A

Supplier relationships

ISO 27001:2022 Annex A controls 5.19–5.22 cover information security in supplier relationships, including supplier agreements, managing ICT supply chain security, monitoring supplier services and managing changes. Certification auditors increasingly scrutinise whether supplier controls are genuinely operating, not just documented in policy.

A well-structured TPRM programme directly supports ISO 27001 compliance and certification maintenance.

Who it's for

Organisations with real supplier exposure

The assessment is most relevant where supplier risk is genuine — not where a process needs to exist for its own sake. If the answer to "what happens if this supplier is compromised?" is uncomfortable, that's the right starting point.

Organisations with significant IT supplier exposure — cloud service providers, managed security service providers, software vendors with privileged access, infrastructure partners. Where the supplier relationship creates material operational or security dependency that isn't currently well-understood or well-managed.
Regulated entities under NIS2 or DORA — where supply chain security is a compliance requirement and the regulator will ask for evidence. Particularly relevant ahead of regulatory review, audit or as part of an NIS2/DORA compliance programme.
Organisations following a supply chain incident — either directly affected by a supplier compromise or responding to a sector-wide incident that has raised the board's attention. The assessment provides an independent view of current exposure and what needs to change.
Organisations building or rebuilding their TPRM programme — where the current approach is known to be insufficient and the goal is to establish a programme that actually manages risk rather than generating paperwork. NOXVERI can help design the framework, not just assess against it.