Third-Party Risk Management
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing CompTIA Security+ premium course — no separate purchase.
Included in this chapter:
- The third-party risk lifecycle: assess, select, monitor
- Agreement types: SLA, MOU, MOA, MSA, WO/SOW, NDA, BPA
- Exam-pattern recognition: matching activity and document to the scenario
Vendor agreement types: what each defines and whether it binds
| Agreement (acronym) | What it defines | Legally binding? | Typical use on the exam |
|---|---|---|---|
| SLA: Service-Level Agreement | Measurable service levels (uptime %, response time) and remedies/penalties for missing them | Yes (a contract or contract annex) | Question asks how to hold a provider to a performance/uptime guarantee |
| MOU: Memorandum of Understanding | Mutual intent and broad goals between parties; a 'gentlemen's agreement' | Generally NOT binding (statement of intent) | Two organizations agree to cooperate but without enforceable obligations |
| MOA: Memorandum of Agreement | Specific roles, responsibilities, and commitments for a defined effort | Yes, more formal/binding than an MOU | Parties commit to concrete duties; the binding step beyond an MOU |
| MSA: Master Service Agreement | Standing legal terms governing ALL future engagements between the parties | Yes (umbrella contract) | Long-term vendor relationship where per-project terms are added later |
| WO / SOW: Work Order / Statement of Work | The specific deliverables, tasks, timeline, and scope for one engagement | Yes (operates under the MSA) | Scoping the concrete work that an MSA's umbrella terms cover |
| NDA: Non-Disclosure Agreement | Confidentiality: what information must be protected and not disclosed | Yes (enforceable confidentiality duty) | Sensitive data is shared with a vendor, contractor, or partner |
| BPA: Business Partners Agreement | Terms between business partners: responsibilities, decision rights, profit/loss sharing | Yes (partnership contract) | Two firms enter a joint venture or formal partnership |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- CompTIA Security+ (SY0-701) certification objectives
- Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1) Whitepaper
- Managing the Security of Information Exchanges (SP 800-47 Rev. 1) Whitepaper
- Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5) Whitepaper