The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.
Contact us

Third-Party Risk Management in 2025: UK Compliance, DORA, GDPR & ISO Best Practices

Introduction

In 2024, 35.5% of all data breaches originated from third-party vendors, marking a 6.5 percentage-point increase from 2023. Additionally, 41.4% of ransomware attacks involved third-party access. These figures highlight why Third-Party Risk Management (TPRM) must be a strategic priority for organisations in 2026.

Why This Matters

Attackers increasingly exploit vendor relationships to scale their reach, one compromised supplier can impact multiple organisations. Regulators and insurers are moving away from annual questionnaires toward continuous, real-time oversight.

Regulatory & Insurance Drivers

Every supplier with system or data access is a potential threat vector. The ENISA Threat Landscape 2024 identifies supply chain attacks as one of the EU’s top seven threats, emphasising their growing prevalence.

Key regulatory mandates:

  • UK GDPR / EU GDPR (Art. 28): Controllers must only engage processors offering “sufficient guarantees,” with contracts covering security measures, sub-processor controls, audit rights, and data deletion.
  • ISO/IEC 27001:2022 (Annex A.5.19): Requires supplier risk management, due diligence, contractual obligations, and ongoing monitoring.
  • PCI DSS v4 (Req. 12.8): Mandates documented oversight of third-party service providers, including responsibility matrices and annual compliance checks.
  • DORA (EU Financial Sector): Effective January 2025, requires ICT provider registers, contractual security clauses, risk assessments for critical suppliers, and continuous monitoring.

Cyber insurance expectations:

Underwriters now demand evidence of continuous vendor monitoring, strong access controls, documented TPRM processes, contingency planning, and aggregation risk assessments.

But what should my organisation do to mitigate this risk?

Step 1: Identify and Decommission Inactive Suppliers

  • Define “active”: Any supplier listed on your P&L or with system/data access.
  • Risk rationale: Forgotten suppliers pose significant risk: especially via file-transfer and remote-access tools, heavily exploited in 2024. [digit.fyi]

Actions:

  • Reconcile supplier data across Finance, IT (IdP/SSO, VPN, PAM), and Data Protection records to build a single, live inventory. For DORA scope, map to the register of information.
  • Decommission access immediately for inactive suppliers; document all deprovisioning aligned with ISO 27001 A.5.19 and PCI Req. 12.8.
  • Freeze billing for deactivated suppliers, document exceptions.
  • Maintain records: deprovisioning logs, contract termination papers, updated supplier registers: critical for insurance and audit review.

Tip: Maintain a mapping of suppliers to their data/system access via identity groups (e.g., Azure AD, Okta) to support rapid offboarding and GDPR Art. 28 compliance. 

Step 2: Categorise and Prioritise Suppliers (Risk-Based)

Assess vendors using clear criteria:

  • Data type accessed: e.g., commercial, Personal Data, PCI, IP.
  • Systems used: identity, cloud, production, OT, etc.
  • Regulatory exposure: GDPR processor, PCI TPSP, DORA ICT provider. 
  • Operational criticality: business continuity impacts (aligns with DORA “critical/important”).
  • Spend: useful for categorisation: not a proxy for risk.

Risk tiers: High / Medium / Low based on data sensitivity, system importance, threat exposure, and vendor control maturity.

  • Standards alignment: ISO 27001 A.5.19 and NIST SP 800-161 endorse risk-proportional due diligence.
  • PCI compliance: requires TPSPs to have clear responsibility delineation.

Step 3: Sweep and Risk-Score Suppliers

Create an Impact × Likelihood matrix for vendor risk:

  • Impact factors: Data sensitivity (special categories, PCI), system criticality, regulatory exposure (e.g., DORA, SEC), though UK-specific SEC not directly relevant.
  • Likelihood factors: Technology exposure, breach history, MFA status, fourth-party dependencies.
  • Compensating controls: network segmentation, encryption, exit planning.
  • Real-time signals: vulnerability disclosures, TLS expiry, credential leaks, underwriters prioritise ongoing monitoring.

Tooling:

  • Small-scale: Excel or Sheets with vendor metadata aligned to ISO A.5.19 and GDPR Art. 28. 
  • Enterprise-scale: GRC/TPRM platforms for DDQs, evidence management, and continuous monitoring.

Step 4: Due Diligence That Reduces Risk

Apply due diligence based on risk tier:

  • High-risk vendors: Require SOC 2 Type II or ISO 27001 certificate + Statement of Applicability; UK/EU GDPR Art. 28 DPA; sub-processor notifications; secure SDLC; pen-test reports; MFA/SSO; incident response SLAs. 

  • PCI TPSPs: Obtain current PCI DSS AOC/ROC and evidence of compliance with Req. 12.8 oversight. 

  • DORA ICT providers: Contracts must include audit rights, exit clauses, incident notification, register data, and service location details. 

  • Personal data processors: Enforce Art. 28 clauses: confidentiality, TOMs (Art. 32), assistance with data subject rights, data return or deletion, sub-processor approvals, audit rights. 

Insurer context: Continuous evidence of due diligence, not just paperwork, is essential for coverage and claims

If you would like to learn more about how GRC Hub can support your Third Party Risk Management programme, contact us.

The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.

Governance Risk & Compliance Hub LIMITED

Facebook Youtube Linkedin