CTPRA Job Guide

Role Description

The CTPRA designation is designed to validate knowledge and experience within specific Third Party risk management competencies that an individual will need to conduct a thorough risk evaluation of a third party during an assessment, including risk analysis and reporting. The Job Practice Guide identifies the domains, topics, skills, competencies, and job role accountabilities that represent the type of work performed in the role of a Third Party risk assessor who plans, performs, and oversees third party assessments across multiple risk domains. The structure of the Job Practice Guide is based on the inputs of Shared Assessments Program members, recognized best practices, and education and tools that drive third party risk assurance.

About The CTPRA Credential

To achieve the CTPRA credential, candidates must provide both evidence of their years of experience and successfully pass a rigorous proctored exam. It is not uncommon for CTPRA test takers to not pass the test on the first attempt. We recommend at least 30 hours of preparation prior to taking the examination. The class materials and examination are career resources designed for those professionals who plan to certify, as well as for those who simply need to deepen their knowledge in third party risk management. The CTPRA training material and examination are organized by grouping the required body of knowledge topics into specific job practice focus areas. The CTPRA examination contains questions testing domain technical knowledge and application of on-the-job knowledge based on the CTPRA Curriculum Outline.

Examination Protocols & Question Formats

The CTPRA examination contains 125 questions worth up to 140 points.Examination questions include testing the domain technical knowledge and application of knowledge using Third Party risk situations. The CTPRA examination is a time-based (3 hours), closed book exam taken on your own computer. Remote proctoring is required to monitor examination compliance. Multiple choice questions are presented to users using third party risk management scenarios from the Outsourcer or the ServiceProvider point of view. A score of 70% or higher is required to pass the exam. Upon completion of the exam a survey may be presented to provide feedback on the method of instruction, curriculum, materials, orexamination content.

CTPRA Curriculum Outline

I. Third Party Risk Management Foundation
A. Regulatory Drivers for Third Party Risk
B. Information Classification and Data Governance
C. Third Party Risk Management Program Components

II. Risk Assessment Fundamentals
A. Assessment Frameworks and Standards
B. Risk Assessment Techniques
C. Vendor Classification and Due Diligence Requirements
D. Types of Third Party Risk Assessments

II. Risk Control Domains

A. Governance & Risk Management

  • Risk assessment & treatment
  • Information security policy
  • Organizational security
  • Data privacy governance
  • Human resources security
  • Compliance & audit

B. Information Protection

  • Access control
  • End user device security
  • Server security
  • Network security
  • Application security
  • Data privacy safeguards/information systems
  • Cloud security
  • Physical & environmental security

C. IT Operations & Business Resiliency

  • Asset management
  • Operations management
  • Business continuity management
  • Disaster recovery

D. Security Incident & Threat Management

  • Incident event and communications
  • Threat management
  • Vulnerability program
  • Security awareness

IV. Third Party Risk Assessment Process
A. Phases of an Assessment
B. Assessment Planning and Preparation Activities
C. Assessment Execution and Communication
D. Post Assessment Reporting & Remediation


CTPRA Exam Profile


CTPRA Third Party Assessor Accountabilities

  • Actively drives coordination and execution of conducting third party risk assessment reviews either on-site or through virtual assessments
  • Participates in the creation, development, deployment of security and risk plans and mitigation controls Manages and deploys third party risk intake, assessment, remediation, risk acceptance and communication processes
  • Conducts security, vulnerability and control assessments using standard methodologies
  • Plans and coordinates testing and verification of controls
  • Reviews compliance artifacts and technical materials to identify and evaluate controls
  • Monitors existing and proposed security, risk, and control frameworks
  • Monitors changes in regulation that impact third party risk
  • Builds and manages remediation plans for third party due diligence risk assessments
  • Manages and maintains information in governance, risk, compliance systems and tools
  • Prepares reports on risk ratings, findings, and assessment results
  • Identifies and evaluates compensating controls based on risk mitigation techniques
  • Analyzes complex situations where an in-depth evaluation of risk is required
  • Accountable to synthesize information to technical and non-technical audiences
  • Ability to use judgement within established policies and procedures to evaluate control effectiveness and control attributes
  • Creates management reporting on third party risk activities across multiple engagements
  • Conducts audits or assessments in alignment with standards and risk-based strategies
  • Conducts interviews with subject matter experts to gain thorough understanding of the control environment Identifies synergies and dependencies in planning third party assessments
  • Manages project management timelines, status reports, findings, results, and recommendations to stakeholders
  • Interacts directly with key personnel within both IT and lines of business to understand the roles and responsibilities

CTPRA Profile 


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.