The Certified Third Party Risk Assessor (CTPRA) designation is a professional credential that validates knowledge, expertise, and proficiency in controls evaluation within specific Third Party risk control domains needed in order to perform a comprehensive IT risk evaluation of a third party during an assessment.
The Job Practice Guide identifies the domains, topics, skills, competencies, and job role accountabilities that represent the type of work performed in the role of a Third Party risk assessor who plans, performs, and oversees third party assessments across multiple risk domains. The structure of the Job Practice Guide is based on the inputs of Shared Assessments Program members, recognized best practices, and education and tools that drive third party risk assurance.
About The CTPRA Credential
To achieve the CTPRA credential, candidates must provide both evidence of their years of experience and successfully pass a rigorous proctored exam. It is not uncommon for CTPRA test takers to not pass the test on the first attempt. We recommend at least 30 hours of preparation prior to taking the examination. The class materials and examination are career resources designed for those professionals who plan to certify, as well as for those who simply need to deepen their knowledge in third party risk management. The CTPRA training material and examination are organized by grouping the required body of knowledge topics into specific job practice focus areas. The CTPRA examination contains questions testing domain technical knowledge and application of on-the-job knowledge based on the CTPRA Curriculum Outline.
Examination Protocols & Question Formats
The CTPRA examination contains 125 questions worth up to 140 points.Examination questions include testing the domain technical knowledge and application of knowledge using Third Party risk situations. The CTPRA examination is a time-based (3 hours), closed book exam taken on your own computer. Remote proctoring is required to monitor examination compliance. Multiple choice questions are presented to users using third party risk management scenarios from the Outsourcer or the ServiceProvider point of view. A score of 70% or higher is required to pass the exam. Upon completion of the exam a survey may be presented to provide feedback on the method of instruction, curriculum, materials, prexamination content.
Knowledge Level: Advanced
- Candidates are seasoned professionals or have deep technical expertise.
- Candidates have in-depth knowledge on TPRM topics in order to conduct assessments.
- Candidates may also pursue the certification to organizational leaders with specialized knowledge in certain areas who need to enhance their skills/knowledge on applying that knowledge to outside relationships.
- Demonstrate a thorough understanding of outsourcing business models, regulatory drivers, data governance factors involved in third party risk management in order to understand each of the core components of a TPRM program.
- Incorporate industry and technology assessment frameworks for controls evaluation using risk assessment techniques to conduct various types of assessments based on vendor classification, risk rating, and criticality.
- Evaluate, interpret, and understand a third party’s control environment based on analysis of risk factors for each category of third party risk control domains from the point of view of the outsourcer and the service provider.
- Organize and manage the due diligence and risk assessment process by conducting discovery, review of artifacts, and testing to effectively validate controls, identify and risk rate findings, and identify measures for risk mitigation.
CTPRA Curriculum Outline
Module I. Third Party Risk Management Foundation
A. Regulatory Drivers for Third Party Risk
B. Information Classification and Data Governance
C. Managing Risk in Third Party Relationships
Module II. Risk Based Due Diligence
A. Assessment Frameworks, Standards and Methodologies
B. Risk Assessment Techniques
C. Vendor Classification and Risk Ratings in Due Diligence
Module III. Risk Control Domains
A. Governance & Risk Management
- Enterprise Risk Management
- Information Security Policy
- Organizational Security
- Compliance and Audit
- Data Privacy Governance
- Human Resources Security
B. Information Protection
- Access Control
- End User Device Security
- Network Security
- Server Security
- Application Security
- Data Privacy Safeguards
- Cloud Hosting Services
- Physical & Environmental Security
C. IT Operations & Business Resiliency
- Asset Management
- IT Operations Management
- Operational Resilience
- Disaster Recovery
D. Security Incident & Threat Management
- Incident Event & Communications
- Threat Management
- Vulnerability Program
- Security Awareness
Module IV. Third Party Risk Assessment Process
A. Phases of the Assessment Process
B. Assessment Planning and Preparation
C. Assessment Execution and Communication
D. Post Assessment Reporting & Remediation
CTPRA Exam Profile
CTPRA Third Party Assessor Accountabilities
- Actively drives coordination and execution of conducting third party risk assessment reviews either on-site or through virtual assessments
- Participates in the creation, development, deployment of security and risk plans and mitigation controls Manages and deploys third party risk intake, assessment, remediation, risk acceptance and communication processes
- Conducts security, vulnerability and control assessments using standard methodologies
- Plans and coordinates testing and verification of controls
- Reviews compliance artifacts and technical materials to identify and evaluate controls
- Monitors existing and proposed security, risk, and control frameworks
- Monitors changes in regulation that impact third party risk
- Builds and manages remediation plans for third party due diligence risk assessments
- Manages and maintains information in governance, risk, compliance systems and tools
- Prepares reports on risk ratings, findings, and assessment results
- Identifies and evaluates compensating controls based on risk mitigation techniques
- Analyzes complex situations where an in-depth evaluation of risk is required
- Accountable to synthesize information to technical and non-technical audiences
- Ability to use judgement within established policies and procedures to evaluate control effectiveness and control attributes
- Creates management reporting on third party risk activities across multiple engagements
- Conducts audits or assessments in alignment with standards and risk-based strategies
- Conducts interviews with subject matter experts to gain thorough understanding of the control environment Identifies synergies and dependencies in planning third party assessments
- Manages project management timelines, status reports, findings, results, and recommendations to stakeholders
- Interacts directly with key personnel within both IT and lines of business to understand the roles and responsibilities
No advance preparation is required
Delivery method: Group Internet Based
CPEs Earned for Completion: 12
Field of Study: Specialized Knowledge