TPRM Consultant

 Posted an hour ago
     
5-10 years experience
Apply Now

Please mention DailyRemote when applying

AI Summary

Develop and operate an end-to-end Third-Party Risk Management (TPRM) program, including onboarding, risk assessments, and performance monitoring. Support ISO 27001 audit readiness and maintain vendor risk registers and compliance documentation.

JOB SUMMARY


We're looking for a TPRM Consultant with strong Governance, Risk, and Compliance (GRC) experience to support vendor oversight and information security compliance initiatives, including ISO 27001 audit readiness and ISMS certification.  This consultant will build and operate its vendor/third-party risk management program on an ongoing, hourly contract basis. This is a project-based engagement focused on strengthening vendor risk management practices and preparing the organization for certification.

 

JOB RESPONSIBILITIES


  • Develop and build an end-to-end TPRM Program - onboarding, risk assessments, performance monitoring, and offboarding
  • Support ISO 27001 audit readiness activities, including gap assessments and remediation tracking as needed.
  • Assess third-party/vendor risk exposure and ensure compliance with security and regulatory requirements.
  • Coordinate with internal stakeholders (IT, Legal, Security, Procurement) to align the TPRM Program with existing frameworks
  • Develop and build the vendor risk registers, compliance trackers, and audit documentation as the single source of truth, keeping it current and audit-ready
  • Support internal and external audits, liaising with certification bodies as needed
  • Design the TPRM policy, procedure, and risk-tiering methodology (critical/high/medium/low based on data access, business impact, and regulatory exposure)
  • Build vendor risk assessment templates (SIG/CAIQ-aligned questionnaires, DPIA triggers for vendors processing personal data)
  • Establish the vendor inventory/register and define onboarding, monitoring, and offboarding workflows
  • Recommend standard security/privacy contract clauses and Data Processing Agreement (DPA) templates for Legal and Procurement to adopt
  • Own and execute the full vendor risk assessment lifecycle across all tiers on the defined cadence (e.g., annual for critical, biennial for lower risk)
  • Continuously monitor vendor risk posture (security ratings platforms, incident tracking, contract or scope changes) and reassess as needed
  • Coordinate with Legal/Procurement on contract renewals, DPA updates, and sub processor changes
  • Support internal and external audits (ISO 27001, customer security reviews) with TPRM evidence and documentation
  • Prepare and present vendor risk metrics, top risks, and program status to leadership/risk committee on a regular cadence (e.g., monthly or quarterly)
  • Provide guidance and light training to internal stakeholders (Procurement, business owners) on TPRM policy and process
  • Develop the SOP for managing vendor offboarding, including secure data return/destruction confirmation and access revocation tracking
  • Periodically refine the program (policy updates, template improvements, tooling optimization) as the vendor landscape and regulatory environment evolve
  • Reduce weekly hours once the vendor register is complete and the first full assessment cycle has closed, in agreement with the organization

QUALIFICATIONS

  • Proven experience in Vendor/Third-Party Risk Management
  • Solid background in GRC frameworks and practices
  • Experience preparing organizations for ISMS certification and Hands-on experience with ISO 27001 auditing (internal or external)
  • Familiarity with risk assessment methodologies and compliance reporting
  • Strong stakeholder management and cross-functional coordination skills
  • Strong working knowledge of ISO 27001, SOC 2, NIST CSF/800-53, GDPR (Art. 28, 32), and CCPA
  • Hands-on experience reviewing SOC 2 reports, ISO certificates, penetration test results, and vendor security questionnaires (SIG, CAIQ)
  • Experience drafting or advising on DPAs, security addenda, and sub-processor clauses
  • Comfortable operating as the embedded/de facto TPRM function — proactive, autonomous, and reliable on a recurring cadence rather than a one-time deliverable
  • Strong written and verbal communication skills, including presenting to executive stakeholders
  • Available for a sustained, ongoing commitment: 15–20 hours/week during the build phase, reducing thereafter

 

NICE TO HAVE:



  • Certifications: CTPRP (Certified Third-Party Risk Professional), CISSP, CISA, CRISC, or CIPP/E
  • Prior experience serving as an embedded or fractional TPRM/GRC consultant for one or more organizations concurrently
  • Familiarity with security ratings platforms (BitSight, Security Scorecard, UpGuard)
  • Industry vertical experience matching the organization (financial services, healthcare, SaaS, etc.)
  • Experience mentoring and eventually transitioning the function to an internal hire, as needed
  • ISO 27001 Lead Auditor / Lead Implementer certification
  • Experience in tech/IT services or BPO industry
  • Exposure to other frameworks (SOC 2, NIST, GDPR)

 

Similar Jobs

See all Remote Others jobs →

Personalize your Remote Job Search in 3 Easy Steps!

Discover remote opportunities in Others

Answer easy questions

Answer easy questions

200,000+ jobs across 15+ categories

Get your best job matches

Get your best job matches

Only hand-screened, legit jobs

Find a remote job faster

Find a remote job faster

No ads, scams, or junk

I was the first applicant for a remote marketing position that got listed on the company website the same day I applied. Had an interview within 48 hours!

Sarah J. — Sarah J. · Marketing Manager ★★★★★ Verified