Resource Kit: TPRM with UpGuard

Overview
Understanding TPRM
Vendor onboarding and organization
Vendor evaluations and assessment
Monitoring and ongoing risk management

Overview

This resource kit covers the end-to-end TPRM workflow in UpGuard — from understanding third-party risk management fundamentals to onboarding vendors, running evaluations, and managing risk on an ongoing basis.

Use it as a starting point if you're building out your TPRM program, or as a reference when you need to go deeper on a specific workflow. The resources are organized by stage — work through them in order, or jump to the section you need.

Understanding TPRM

Resource	Description
A complete guide to third-party risk management	New to TPRM or building out your program? This eBook covers the fundamentals — what third-party risk management is, how it differs from VRM, the 5-stage TPRM lifecycle, and how to integrate a TPRM program with your existing cybersecurity framework.
TPCRM policy template	A ready-to-customise Third-Party Cyber Risk Management policy covering the full vendor lifecycle — from program setup and due diligence through ongoing monitoring and offboarding. Fill in your company details and risk thresholds to have a policy that's ready to publish.
Webinar: vendor risk in 3 easy steps	A one-hour interactive workshop walking through vendor risk management in three steps: setting up your organizational structure (tiers, portfolios, labels, custom attributes), monitoring vendors and adding evidence in the Security Profile, and running an AI-powered assessment. Designed for customers who want to build a scalable TPRM foundation from the ground up.

Vendor onboarding and organization

Resource	Description
Resource kit: vendor onboarding requests	Vendor onboarding is a crucial topic. It’s so important we created a resource kit dedicated just to vendor onboarding. You’ll find everything vendor-onboarding related here.
Monitor a new vendor	Step-by-step instructions for adding a vendor to UpGuard Vendor Risk.
Manage and classify your vendors (tiers, portfolios, labels, custom attributes)	An overview of the four vendor classification tools in UpGuard's Vendor Risk — what each one does, when to use it, and how they work together to keep your vendor management workflows organized and efficient.
Portfolios	Create and manage portfolios in UpGuard's Vendor Risk — including adding vendors, filtering views and reports by portfolio, controlling which users can see which vendors, and setting up portfolio-specific notifications.

Vendor evaluations and assessments

Resource	Description
Vendor evaluation process	An end-to-end overview of how Security Profile evaluations work — from tiering a vendor and adding evidence, to reviewing controls, making a risk decision, and running an AI assessment.
Vendor Risk guide 3: evaluate and assess	End-to-end guide for evaluating vendors using UpGuard's assessment tools.
Vendor Risk: security profile overview	Overview of the AI-powered Security Profile and how to use it to assess vendors.
Vendor Risk security profile: control templates	What Security Profile control templates are and how to work with them. Covers the six pre-built templates, how tier defaults work, and how to create or customize your own template.
Gap questionnaire	How to use the gap questionnaire to identify missing controls in a vendor's security posture.
Complete a traditional risk assessment	Step-by-step instructions for completing a traditional risk assessment — covering evidence selection, risk management (remediation, waivers, comments), assessment commentary, and setting a reassessment date.

Monitoring and ongoing risk management

Resource	Description
Portfolio risk profile	An overview of the Portfolio Risk Profile — a cross-vendor view of all identified risks, sorted by severity, showing how many vendors are affected by each finding and enabling bulk remediation or waivers from one place.
View the changes in a vendor's attack surface over time	How to track a vendor's risk profile evolution over time — useful for flagging vendors whose posture is deteriorating.
Request remediation from a vendor	Send vendors formal remediation requests for identified risks — covers selecting risks from the Risk Profile or Remediation section, setting recipients and due dates, and tracking request status.
Use vendor risk waivers	Step-by-step for creating and applying risk waivers to accepted risks.
Create custom notifications	How admins can create notification rules so users are alerted to the risk events that matter most to them.
Set up notifications for changes to Trust Centers	How to get notified when a vendor's Trust Center content changes.
Fourth Parties Module Overview	An overview of fourth-party risk — monitoring the vendors your vendors use.