Third-party risk management (TPRM) is an audit focus in 2026: NIS-2 Art. 21(2)(d) makes supply chain security explicitly mandatory, ISO 27001 A.5.19–22 demands structured supplier evaluation, GDPR Art. 28 requires data processing agreements with documented effectiveness checks. Anyone organizing this ad-hoc via mail distributions loses overview – and the audit.
What a Modern TPRM System Delivers
- Supplier inventory: central list with business area, criticality, contract status, data flow direction.
- Self-service questionnaires: supplier answers security questionnaire directly in the portal, instead of PDF back-and-forth via mail.
- Evidence upload: supplier uploads certificates (ISO 27001, SOC 2, BSI), sub-processor lists, pen-test reports – with automatic expiry reminders before the due date.
- Risk score: computed from answers + evidence + criticality classification. Traceable formula instead of gut feeling.
- Re-assessment cadence: annual update is automatically requested; escalation on non-fulfillment.
Self-Service Is the Real Game Changer
A security questionnaire classically: compliance officer mails PDF to supplier, supplier sends a filled PDF back three weeks later, compliance officer manually enters answers into the internal system. Multi-loop, lots of Excel.
Self-service: supplier gets login (passwordless via magic link or OIDC if available at supplier), fills questionnaire directly in the portal, uploads evidence as files, signs confirmations digitally. Compliance officer sees progress live, comments directly in the answer field, requests clarifications without mail back-and-forth.
Risk Scoring That Isn't Arbitrary
The risk score is computed transparently from:
- Data classification: what data does the supplier process? (public → personal → special categories)
- Access depth: only order data or production access?
- Geography: EU-only, third country with adequacy decision, third country without?
- Certification status: ISO 27001 in place? SOC 2 Type II? BSI certification?
- Sub-processor depth: how many links in the supply chain?
Every factor is configurable in the platform – standard defaults match ISO 27001 best practices.
Integration with the ISMS
Suppliers are not isolated; they connect with assets, risks, and measures:
- Asset linkage: every asset with an external provider auto-links to the supplier entry.
- Risk impact: supplier risks land in the central risk register with auto-suggestion for treatment measures.
- Review cycle: annual supplier reviews run through the review cycle manager – with multi-channel reminders.
- Contract repository: DPA, NDA, contract amendments are maintained with full-text search in OnlyOffice.
What the Auditor Likes to See
- Supplier list with criticality sorting as CSV export.
- Evidence directory per supplier with certificate expiry dates.
- Risk acceptance audit trail: who accepted the supplier risk score when.
- Sub-processor list, auto-published to the trust center.
Realistic Setup Expectation
For 50 active suppliers: 2 days initial configuration (question templates, risk formula), 1 day bulk import of existing data, then ~2 hours per week of operational effort. The ROI in the first audit alone typically covers the initial effort.
Conclusion
TPRM in 2026 is no longer an optional discipline but an audit-mandatory field. A self-service portal solution with transparent risk score, automatic re-assessment cadence, and integration with ISMS and trust center is the only scalable answer. Mail-distribution TPRM collapses at the 30th supplier at the latest – self-service carries 1,000.