Domain 5 of 5 · Chapter 3 of 6

Third-Party Risk Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • The third-party risk lifecycle: assess, select, monitor
  • Agreement types: SLA, MOU, MOA, MSA, WO/SOW, NDA, BPA
  • Exam-pattern recognition: matching activity and document to the scenario

Vendor agreement types: what each defines and whether it binds

Agreement (acronym)What it definesLegally binding?Typical use on the exam
SLA: Service-Level AgreementMeasurable service levels (uptime %, response time) and remedies/penalties for missing themYes (a contract or contract annex)Question asks how to hold a provider to a performance/uptime guarantee
MOU: Memorandum of UnderstandingMutual intent and broad goals between parties; a 'gentlemen's agreement'Generally NOT binding (statement of intent)Two organizations agree to cooperate but without enforceable obligations
MOA: Memorandum of AgreementSpecific roles, responsibilities, and commitments for a defined effortYes, more formal/binding than an MOUParties commit to concrete duties; the binding step beyond an MOU
MSA: Master Service AgreementStanding legal terms governing ALL future engagements between the partiesYes (umbrella contract)Long-term vendor relationship where per-project terms are added later
WO / SOW: Work Order / Statement of WorkThe specific deliverables, tasks, timeline, and scope for one engagementYes (operates under the MSA)Scoping the concrete work that an MSA's umbrella terms cover
NDA: Non-Disclosure AgreementConfidentiality: what information must be protected and not disclosedYes (enforceable confidentiality duty)Sensitive data is shared with a vendor, contractor, or partner
BPA: Business Partners AgreementTerms between business partners: responsibilities, decision rights, profit/loss sharingYes (partnership contract)Two firms enter a joint venture or formal partnership

Decision tree

What is the relationship trying to fix? Measure performance Protect secrets Long-term services Form a partnership SLA uptime %, response time + remedies NDA confidentiality of shared data MSA + WO/SOW umbrella terms + per-project scope BPA partner roles, profit/loss Just a cooperation arrangement — do you need it to be binding? ("statement of intent" vs "formal roles & commitments") Just agree to cooperate No — intent only Yes — binding roles MOU non-binding statement of intent MOA binding roles & commitments Always: assess + due-diligence the vendor BEFORE signing; monitor AFTER

Cheat sheet

  • Outsource the work, never the liability
  • TPRM is a lifecycle: assess, select, agree, then monitor
  • A questionnaire is self-attestation, not verification
  • A right-to-audit clause lets you verify the vendor directly
  • Independent assessment outranks the vendor's own audit
  • Supply chain analysis reaches past the vendor to fourth parties
  • Due diligence vets a vendor before you engage
  • Conflict of interest can bias a vendor selection
  • An SLA defines measurable service levels plus remedies
  • An MOU is a non-binding statement of intent
  • An MOA is the more formal, obligation-bearing cousin of an MOU
  • An MSA sets standing umbrella terms for all future work
  • A WO/SOW scopes one engagement under the MSA
  • An NDA is the confidentiality contract
  • A BPA sets terms between business partners, not buyer and supplier
  • Agreements make expectations enforceable; assessments only inform
  • Vendor monitoring continues after the contract is signed
  • Rules of engagement authorize and bound third-party testing

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification objectives
  2. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1) Whitepaper
  3. Managing the Security of Information Exchanges (SP 800-47 Rev. 1) Whitepaper
  4. Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5) Whitepaper