CTPRA Job Guide

Program Description

The Certified Third Party Risk Assessor (CTPRA) designation is a professional credential that validates expertise, decision making and proficiency in third-party risk and controls evaluation. The program includes the processes for identifying, quantifying, and mitigating third-party risk within an organization’s TPRM program. The program structure emphasizes on the controls evaluation process within specific risk domains to conduct comprehensive governance, operational risk, IT, and cyber-risk third party evaluations using distinct assessment techniques. (12 CPEs can be earned for completing the course)

About The CTPRA Credential

To achieve the CTPRA credential, candidates must provide both evidence of their years of experience and successfully pass a rigorous proctored exam. It is not uncommon for CTPRA test takers to not pass the test on the first attempt. We recommend at least 30 hours of preparation prior to taking the examination. The class materials and examination are career resources designed for those professionals who plan to certify, as well as for those who simply need to deepen their knowledge in third party risk management. The CTPRA training material and examination are organized by grouping the required body of knowledge topics into specific job practice focus areas. The CTPRA examination contains questions testing domain technical knowledge and application of on-the-job knowledge based on the CTPRA Curriculum Outline.


Examination Protocols & Question Formats

The CTPRA examination contains 125 questions worth up to 140 points.Examination questions include testing the domain technical knowledge and application of knowledge using Third Party risk situations. The CTPRA examination is a time-based (3 hours), closed book exam taken on your own computer. Remote proctoring is required to monitor examination compliance. Multiple choice questions are presented to users using third party risk management scenarios from the Outsourcer or the ServiceProvider point of view. A score of 70% or higher is required to pass the exam. Upon completion of the exam a survey may be presented to provide feedback on the method of instruction, curriculum, materials, prexamination content.


Knowledge Level: Advanced


  • Candidates are seasoned risk or audit professionals or have deep technical expertise in information security, resilience, and information technology management.
  • Candidates should have strong security and technological acumen and ability to apply that knowledge into evaluating a third-party’s control environment.
  • Candidates have in-depth experience on risk identification and quantification to properly scope and conduct third party risk assessments
  • Candidates tend to have experienced IT backgrounds based on years of experience. 
  • Candidates may have operational or supervisory responsibilities or both.
  • Candidates tend to use the certification to broaden their skills and knowledge in techniques for conducting assessments to facilitate job advancement in assessment or audit roles.

Learning Objectives

  • Demonstrate a thorough understanding of outsourcing business models, regulatory drivers, data governance factors involved in third party risk management in order to understand each of the core components of a TPRM program.
  • Incorporate industry and technology assessment frameworks for controls evaluation using risk assessment techniques to conduct various types of assessments based on vendor classification, risk rating, and criticality.
  • Evaluate, interpret, and understand a third party’s control environment based on analysis of risk factors for each category of third party risk control domains from the point of view of the outsourcer and the service provider.
  • Organize and manage the due diligence and risk assessment process by conducting discovery, review of artifacts, and testing to effectively validate controls, identify and risk rate findings, and identify measures for risk mitigation.

CTPRA Curriculum Outline

Module I. Third Party Risk Management Foundation
A. Regulatory Drivers for Third Party Risk
B. Information Classification and Data Governance
C. Managing Risk in Third Party Relationships

Module II. Risk Based Due Diligence
A. Assessment Frameworks, Standards and Methodologies
B. Risk Assessment Techniques
C. Vendor Classification and Risk Ratings in Due Diligence

Module III. Risk Control Domains

A. Governance & Risk Management

  • Enterprise Risk Management
  • Information Security Policy
  • Organizational Security
  • Compliance and Audit
  • Data Privacy Governance
  • Human Resources Security

B. Information Protection

  • Access Control
  • End User Device Security
  • Network Security
  • Server Security
  • Application Security
  • Data Privacy Safeguards
  • Cloud Hosting Services
  • Physical & Environmental Security

C. IT Operations & Business Resiliency

  • Asset Management
  • IT Operations Management
  • Operational Resilience
  • Disaster Recovery

D. Security Incident & Threat Management

  • Incident Event & Communications
  • Threat Management
  • Vulnerability Program
  • Security Awareness

Module IV. Third Party Risk Assessment Process
A. Phases of the Assessment Process
B. Assessment Planning and Preparation
C. Assessment Execution and Communication
D. Post Assessment Reporting & Remediation

CTPRA Exam Profile


CTPRA Third Party Assessor Accountabilities

  • Actively drives coordination and execution of conducting third party risk assessment reviews either on-site or through virtual assessments
  • Participates in the creation, development, deployment of security and risk plans and mitigation controls Manages and deploys third party risk intake, assessment, remediation, risk acceptance and communication processes
  • Conducts security, vulnerability and control assessments using standard methodologies
  • Plans and coordinates testing and verification of controls
  • Reviews compliance artifacts and technical materials to identify and evaluate controls
  • Monitors existing and proposed security, risk, and control frameworks
  • Monitors changes in regulation that impact third party risk
  • Builds and manages remediation plans for third party due diligence risk assessments
  • Manages and maintains information in governance, risk, compliance systems and tools
  • Prepares reports on risk ratings, findings, and assessment results
  • Identifies and evaluates compensating controls based on risk mitigation techniques
  • Analyzes complex situations where an in-depth evaluation of risk is required
  • Accountable to synthesize information to technical and non-technical audiences
  • Ability to use judgement within established policies and procedures to evaluate control effectiveness and control attributes
  • Creates management reporting on third party risk activities across multiple engagements
  • Conducts audits or assessments in alignment with standards and risk-based strategies
  • Conducts interviews with subject matter experts to gain thorough understanding of the control environment Identifies synergies and dependencies in planning third party assessments
  • Manages project management timelines, status reports, findings, results, and recommendations to stakeholders
  • Interacts directly with key personnel within both IT and lines of business to understand the roles and responsibilities

CTPRA Profile

Additional Information

No advance preparation is required
Delivery method: Group Internet Based
CPEs Earned for Completion: 12
Field of Study: Specialized Knowledge




Are you interested in being a speaker at one of our events?

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.