TPRM Consultant

Posted 23hrs ago

Employment Information

Education
Salary
Experience
Job Type

Report this job

Job expired or something wrong with this job?

Job Description

TPRM Consultant building and operating vendor risk management program for certification readiness and compliance initiatives. Engaging in cross-functional coordination and support for audits and assessments.

Responsibilities:

  • Develop and build an end-to-end TPRM Program - onboarding, risk assessments, performance monitoring, and offboarding
  • Support ISO 27001 audit readiness activities, including gap assessments and remediation tracking as needed.
  • Assess third-party/vendor risk exposure and ensure compliance with security and regulatory requirements.
  • Coordinate with internal stakeholders (IT, Legal, Security, Procurement) to align the TPRM Program with existing frameworks
  • Develop and build the vendor risk registers, compliance trackers, and audit documentation as the single source of truth, keeping it current and audit-ready
  • Support internal and external audits, liaising with certification bodies as needed
  • Design the TPRM policy, procedure, and risk-tiering methodology (critical/high/medium/low based on data access, business impact, and regulatory exposure)
  • Build vendor risk assessment templates (SIG/CAIQ-aligned questionnaires, DPIA triggers for vendors processing personal data)
  • Establish the vendor inventory/register and define onboarding, monitoring, and offboarding workflows
  • Recommend standard security/privacy contract clauses and Data Processing Agreement (DPA) templates for Legal and Procurement to adopt
  • Own and execute the full vendor risk assessment lifecycle across all tiers on the defined cadence (e.g., annual for critical, biennial for lower risk)
  • Continuously monitor vendor risk posture (security ratings platforms, incident tracking, contract or scope changes) and reassess as needed
  • Coordinate with Legal/Procurement on contract renewals, DPA updates, and sub processor changes
  • Support internal and external audits (ISO 27001, customer security reviews) with TPRM evidence and documentation
  • Prepare and present vendor risk metrics, top risks, and program status to leadership/risk committee on a regular cadence (e.g., monthly or quarterly)
  • Provide guidance and light training to internal stakeholders (Procurement, business owners) on TPRM policy and process
  • Develop the SOP for managing vendor offboarding, including secure data return/destruction confirmation and access revocation tracking
  • Periodically refine the program (policy updates, template improvements, tooling optimization) as the vendor landscape and regulatory environment evolve
  • Reduce weekly hours once the vendor register is complete and the first full assessment cycle has closed, in agreement with the organization.

Requirements:

  • Proven experience in Vendor/Third-Party Risk Management
  • Solid background in GRC frameworks and practices
  • Experience preparing organizations for ISMS certification
  • Hands-on experience with ISO 27001 auditing (internal or external)
  • Familiarity with risk assessment methodologies and compliance reporting
  • Strong stakeholder management and cross-functional coordination skills
  • Strong working knowledge of ISO 27001, SOC 2, NIST CSF/800-53, GDPR (Art. 28, 32), and CCPA
  • Hands-on experience reviewing SOC 2 reports, ISO certificates, penetration test results, and vendor security questionnaires (SIG, CAIQ)
  • Experience drafting or advising on DPAs, security addenda, and sub-processor clauses
  • Comfortable operating as the embedded/de facto TPRM function — proactive, autonomous, and reliable on a recurring cadence rather than a one-time deliverable
  • Strong written and verbal communication skills, including presenting to executive stakeholders
  • Available for a sustained, ongoing commitment: 15–20 hours/week during the build phase, reducing thereafter.

Benefits:

  • None specified