Shared Assessments Third Party Risk Management Certification

The Certified Third Party Risk Assessor (CTPRA) designation from the Shared Assessments Program validates knowledge within specific IT risk control domains that an individual will need in order to perform a thorough IT risk evaluation of a third party during an assessment:

  • Organizational safety and security, including policy administration, organizational structure and human resource security.
  • Physical and environmental security of data environment.
  • Network security, including application, server and endpoint management.

Who is it for?

The CTPRA is designed for third party risk, procurement and compliance professionals, including:

  • IT Auditors/Assessors
  • Risk Managers (Vendor & Ops)
  • Security and Risk Analysts
  • Management Consultants
  • IS Auditors/Professionals
  • Audit
  • Compliance
  • Procurement
  • Business resilience
  • IT Vendor Management

“The primary benefit of the certifications is the associated body of knowledge. We use it quite often. It has held up as the golden standard in the TPRM profession even as the profession has expanded significantly in the past few years.”

—Bill Deller, Manager, IT Risk Advisory Services Schneider Downs


CTPRA Impact on Risk Management Careers

In a recent poll of CTPRA holders, we discovered the following:


CTPRA holders report training improved their ability to fulfill their job duties.


CTPRA certification helped them land a new job or earn a promotion.


CTPRA’s current annual compensation ranged from $90,000 to $120,000

Upcoming Classes

COST: $1,095 Member | $1,295 Non-Member | Annual Maintenance Fee $100
CTPRA classes consist of two 5-hours sessions taught via web conference. Private classes and volume discounts are available. If a class does not have a minimum number of registrants, the class may be cancelled and registrants will be contacted about moving to a future session.

June 8-9, 2021
10:00am – 3:00pm ET

CTPRA Eligibility Requirements

In order to gain your CTPRA, you must have a minimum of five years experience as a risk management professional, In a position(s) that demonstrate proficiency in assessment, management and remediation of third party risk issues.

Experience Required Defined

CTPRA applicants must have a thorough working knowledge of IT risk management concepts and principles, including but not limited to:

  • Risk assessment administrative controls
    • Knowledge of various assessment frameworks and standards
    • Organizational security structure
  • Risk assessment technical controls, including but not limited to:
    • Operations Management
    • Network Security
    • Server Security
  • The fundamentals of vendor risk assessment, monitoring and management
    • Effective utilization of third party questionnaires (trust)
    • Conducting onsite assessments (verify)
    • Developing an effective remediation plan and remediation reporting

Among the areas of expertise that qualify for CTPRA experience include some or all of the following areas:

  • Third party risk management/assessment
  • Audit and/or compliance
    • Experience with determining whether organizations are executing risk controls against specific standards
  • The risk control areas assessed as part of the third party assessment process
    • Knowledge in the importance of risk controls and determining if controls are adequate.
Work Experience Substitutions and Waivers

A maximum of one (1) year work experience may be waived as follows:

  • One year waiver: The applicant holds an IT or IS certification (i.e., CISA, CISSP, CIPP, CIPM, etc.).

 NOTE: The acceptance of a certification in lieu of one (1) year work experience is subject to the approval of the CTPRA Certification Committee.

Less Than Five(5) Years Experience

If an exam taker successfully passes the CTPRA exam but holds less than the minimum required years of experience, the individual will be awarded the Associate CTPRA designation. The Associate CTPRA certification period expires once the five (5) year professional experience requirement is met.

Employer Verification

 A manager at the applicant’s current place of employment must sign the CTPRA Proof of Experience form and attest to holding the minimum required experience. For those who are self-employed or unemployed, the CTPRA Certification Committee will make a determination based on a review of documentation provided to show the necessary experience.  Supporting documentation should be provided with Proof of Experience form to show the length and level of experience, including, but not limited to, items such as a current resume or CV, agendas from speaking engagements, letters of recommendation from past employers or consulting clients.   For more information, please contact The Santa Fe Group at 505-466-6434 or

The Santa Fe Group is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sonsors through its website:

Third Party Risk Certification FAQs

What is the CTPRA Exam Process?

The CTPRA examination contains 125 questions worth up to 140 points. Examination questions includes testing the domain technical knowledge and application of knowledge using third party risk situations. The CTPRA examination is a time-based, closed book exam, completed within 3 hours. The exam is taken online, and remote proctoring will be required to monitor examination compliance. Upon completion of the exam a survey may be presented to provide feedback on the method of instruction, curriculum, materials, or examination content. Multiple choice questions will be presented to users using third party risk management scenarios from the outsourcer or the service provider point of view.

What is a typical time commitment for the CTPRA Workshop and Exam?

The Shared Assessments CTPRA workshop is a two-day event consisting of workshop instruction followed by the examination. A typical event timeline is as follows:

CTPRA WORKSHOP (Day 1) Time:  10:00am-3:00pm ET

CTPRA WORKSHOP (Day 2) Time: 10:00am-3:00pm ET

Completion of both days of this course will earn 8 CPEs. We do not issue CPEs for partial attendance. 


After successfully completing the workshop, candidates will have a month-long window to schedule their exam with Examity.  We estimate that, on average, candidates will need to spend 30 hours preparing for the exam.

What topics are covered within the CTPRA course?

The CTPRA Certification Job Practice Guide identifies the domains, topics, skills, competencies, and job role accountabilities that represent the type of work performed in the role of a third-party risk assessor who plans, performs, and oversees third party assessments across multiple risk domains. The structure of the job practice guide is based on the inputs of Shared Assessments Program members, recognized best practices, education and tools that drive third party risk assurance.

Does my professional experience qualify for the CTPRA designation?

Individuals interested in obtaining the Shared Assessments CTPRA certification are required to hold a minimum of five (5) years experience as an IT risk management professional. Listed below is an example of the type of experience that qualifies:

  • Third party risk management/assessment
  • Audit and/or compliance
  • Experience with determining whether organizations are executing risk controls against specific standards
  • The risk control areas assessed as part of the third party assessment process
  • Knowledge in the importance of risk controls and determining if controls are adequate.

Individuals who do not hold the prerequisite five years work experience in the above fields will qualify for the Associate CTPRA designation.

Where can I find upcoming courses?

All upcoming courses are listed in the “Upcoming Classes” section above.

I have a group of people who want to become certified. Do you offer private trainings for organizations?

The Shared Assessments Program can accommodate private training events for organizations willing to certify 10 or more people. Please contact for more information.

What is included within the registration cost?

The CTPRA registration cost includes the two-day instructor-led workshop, an exam window with Examity, and access to online reference and study materials. Shared Assessments does not issue PDFs or hard copies of these documents.

How do I maintain my certification?

In order to retain your certification, CTPRA holders must comply with the following requirements:

  • Successfully earn the required number of 20 CPE credits annually for a total of 60 CPE credits per three year certification period;
  • Remain current with payments for the $100 annual maintenance and renewal fee;
  • Successfully abide by the Shared Assessments Code of Ethics
Am I able to take only the exam and not the workshop?

In order to participate in the Shared Assessments CTPRA examination you must also participate in the CTPRA workshop lecture.

What is the certification process?

Individuals who are interested in obtaining the Shared Assessments CTPRA designation must complete the following process in order to be awarded the CTPRA designation:

  • Attend a scheduled CTPRA instructor-led workshop
  • Successfully pass the CTPRA examination
  • Submit the CTPRA Proof of Experience form detailing the prerequisite five (5) years experience as an IT risk management professional

The CTPRA designation will be awarded to those who complete the three steps indicated above. Individuals who do not meet the prerequisite five years experience as an IT risk management professional will be awarded the Associate CTPRA designation.