CTPRP Job Guide

Role Description

The CTPRP designation is designed to validate knowledge and experience to demonstrate proficiency in the development of a comprehensive ThirdParty Risk Management (TPRM) Program; and, the assessment, analysis, management, and remediation of Third Party risk issues. The Job Practice Guide identifies the domains, topics, skills, competencies, and job role accountabilities that represent the type of work performed by an individual who supports the development, implementation, maintenance, and training of a Third Party risk management program within their organization. The structure of the Job Practice Guide is based on the inputs of Shared Assessments Program members, recognized best practices, and tools that drive Third Party risk assurance.

About The CTPRP Credential

To achieve the CTPRP credential, candidates must provide both evidence of their years of experience and successfully pass a rigorous proctored exam. To earn a CTPRP credential, we recommend at least 30 hours of preparation prior to taking the examination. The class materials and examination are career resources designed for those professionals who plan to certify, as well as for those who simply need to deepen their knowledge in Third Party risk management. The CTPRP training material and examination are organized by grouping the required body of knowledge topics into specific job practice focus areas.

The CTPRP examination contains questions testing the domain technical knowledge and application of on-the-job knowledge based on the CTPRP Curriculum Outline.

Examination Protocols & Question Formats

The CTPRP examination contains 125 questions worth up to 140 points.Examination questions include testing the domain technical knowledge and application of knowledge using Third Party risk situations. The CTPRP examination is a time-based (3 hours), closed book exam.

The exam is taken online from your computer and remote proctoring is required to monitor examination compliance. Multiple choice questions are presented to users using third party risk management scenarios from the Outsourcer or theService Provider point of view. A score of 70% or higher is required to pass the exam. Upon completion of the exam, a survey may be presented to provide feedback on the method of instruction, curriculum,materials, or examination content.

CTPRP Body of Knowledge

I. Third Party Risk Management Foundation

A. Regulatory Drivers for Third Party Risk

B. Information Classification & Data Governance

C. Third Party Risk Management Program Components

II. Third Party Risk Program Management

A. TPRM Program Structure

  • Program governance policies, standards, and procedures

B. TPRM Operations

  • Contract development, adherence and contract management
  • Vendor risk classification
  • Due diligence standards
  • Skills and Expertise
  • Communications and information sharing

C. TPRM Measurements

  • Tools, measurements & analysis
  • Monitoring and review

III. Third Party Risk Control Domains

A. Governance & Risk Management

  • Risk assessment & treatment
  • Information security policy
  • Organizational security
  • Data privacy governance
  • Human resources security
  • Compliance & audit

B. Information Protection

  • Access control
  • End user device security
  • Server security
  • Network security
  • Application security
  • Privacy Data safeguards
  • Cloud security
  • Physical & environmental security

C. IT Operations & Business Resiliency

  • Asset management
  • Operations management
  • Business continuity management
  • Disaster Recovery

D. Security Incident & Threat Management

  • Incident event and communications
  • Threat management
  • Vulnerability program
  • Security awareness

IV. Third Party Risk Assessment Process

A. Phases of an Engagement

B. Assessment Planning & Preparation

C. Assessment Engagement & Communication

D. Post-Assessment Reporting & Remediation


CTPRP third party risk role Accountabilities

  • Participates in the classification and risk tiering of third parties, including defining the frequency of risk assessments
  • Coordinates the identification, ranking and tracking of third party risks for the organization
  • Defines the due diligence standards based on risk rating or classification to be applied in third party assessments Manages communication plans and escalation plans regarding third party risk governance activities
  • Actively drives coordination and implementation for the overall third party risk management program function within the organization
  • Monitors changes in the regulatory landscape to identify relevant compliance requirements
  • Facilitates the escalation process for management risk acceptance or remediation approvals
  • Partners with lines of business to manage third party risk as defined in contracts and third party policies and procedures
  • Collaborates with internal functions to deploy standard contract provisions for security and privacy requirements Monitors remediation actions and mitigation plans for identified third party risks
  • Defines and tracks third party risk assessment metrics
  • Communicates third party risk requirements to internal stakeholders
  • Negotiates with third parties and business partners to address compliance with risk management policies Coordinates gathering and analysis of risk assessment data for management
  • Maintains third party governance policies, procedures and practices
  • Provides dashboard reporting on third party risk management program activities, results, and outcomes Identifies and implements monitoring functions for critical vendors
  • Supports the vendor due diligence process by ensuring data protection requirements are maintained in contractual relationships

CTPRP Profile


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.