The CTPRP designation is a professional credential designed to validate knowledge, experience, and proficiency in the development and operations of a comprehensive Third Party Risk Management (TPRM) Program; including the analysis, management, and remediation of Third Party risk issues.
The Job Practice Guide identifies the domains, topics, skills, competencies, and job role accountabilities that represent the type of work performed by an individual who supports the development, implementation, maintenance, and training of a Third Party risk management program within their organization. The structure of the Job Practice Guide is based on the inputs of Shared Assessments Program members, recognized best practices, and tools that drive Third Party risk assurance.
About The CTPRP Credential
To achieve the CTPRP credential, candidates must provide both evidence of their years of experience and successfully pass a rigorous proctored exam. To earn a CTPRP credential, we recommend at least 30 hours of preparation prior to taking the examination. The class materials and examination are career resources designed for those professionals who plan to certify, as well as for those who simply need to deepen their knowledge in Third Party risk management. The CTPRP training material and examination are organized by grouping the required body of knowledge topics into specific job practice focus areas.
The CTPRP examination contains questions testing the domain technical knowledge and application of on-the-job knowledge based on the CTPRP Curriculum Outline.
Examination Protocols & Question Formats
The CTPRP examination contains 125 questions worth up to 140 points.Examination questions include testing the domain technical knowledge and application of knowledge using Third Party risk situations. The CTPRP examination is a time-based (3 hours), closed book exam.
The exam is taken online from your computer and remote proctoring is required to monitor examination compliance. Multiple choice questions are presented to users using third party risk management scenarios from the Outsourcer or theService Provider point of view. A score of 70% or higher is required to pass the exam. Upon completion of the exam, a survey may be presented to provide feedback on the method of instruction, curriculum, materials, or examination content.
Knowledge Level: Intermediate
- Candidates may have detailed knowledge in certain topics but not all topics related to TPRM.
- Candidates tend to be in mid-level positions within the organization with at least 3-5 years of work experience in TPRM.
- Candidates may have operational or supervisory responsibilities or both.
- Demonstrate a thorough understanding of outsourcing business models, regulatory drivers, data governance factors and risk management frameworks involved in third party risk management.
- Differentiate each of the TPRM program components required to design, implement and operate a third-party risk management program based upon mitigating different types of third party risk.
- Illustrate knowledge of the control environment for evaluating third party risk for each of the risk control domains from the point of view of the outsourcer and the service provider.
- Construct TPRM program requirements to enable the development and execution of a third party risk assessment process as part of the overall enterprise risk management program.
CTPRP Body of Knowledge
I. Third Party Risk Management Foundation
A. Regulatory Drivers for Third Party Risk
B. Information Classification and Data Governance
C. Third Party Risk Management Program Components
II. Third Party Risk Program Management
A. TPRM Program Structure
- Program governance policies, standards, and procedures
B. TPRM Operations
- Contract development, adherence and contract management
- Vendor risk classification
- Due diligence standards
- Skills and Expertise
- Communications and information sharing
C. TPRM Measurements
- Tools, measurements & analysis
- Monitoring and review
III. Third Party Risk Control Domains
A. Governance & Risk Management
- Risk assessment & treatment
- Information security policy
- Organizational security
- Data privacy governance
- Human resources security
- Compliance & audit
B. Information Protection
- Access control
- End user device security
- Server security
- Network security
- Application security
- Privacy Data safeguards
- Cloud security
- Physical & environmental security
C. IT Operations & Business Resiliency
- Asset management
- Operations management
- Business continuity management
- Disaster Recovery
D. Security Incident & Threat Management
- Incident event and communications
- Threat management
- Vulnerability program
- Security awareness
IV. Third Party Risk Assessment Process
A. Phases of an Engagement
B. Assessment Planning & Preparation
C. Assessment Engagement & Communication
D. Post-Assessment Reporting & Remediation
CTPRP Exam Profile
CTPRP Third Party Risk Role Accountabilities
- Participates in the classification and risk tiering of third parties, including defining the frequency of risk assessments
- Coordinates the identification, ranking and tracking of third party risks for the organization
- Defines the due diligence standards based on risk rating or classification to be applied in third party assessments Manages communication plans and escalation plans regarding third party risk governance activities
- Actively drives coordination and implementation for the overall third party risk management program function within the organization
- Monitors changes in the regulatory landscape to identify relevant compliance requirements
- Facilitates the escalation process for management risk acceptance or remediation approvals
- Partners with lines of business to manage third party risk as defined in contracts and third party policies and procedures
- Collaborates with internal functions to deploy standard contract provisions for security and privacy requirements Monitors remediation actions and mitigation plans for identified third party risks
- Defines and tracks third party risk assessment metrics
- Communicates third party risk requirements to internal stakeholders
- Negotiates with third parties and business partners to address compliance with risk management policies Coordinates gathering and analysis of risk assessment data for management
- Maintains third party governance policies, procedures and practices
- Provides dashboard reporting on third party risk management program activities, results, and outcomes Identifies and implements monitoring functions for critical vendors
- Supports the vendor due diligence process by ensuring data protection requirements are maintained in contractual relationships
No advance preparation is required
Delivery method: Group Internet Based
CPEs Earned for Completion: 12
Field of Study: Specialized Knowledge