3rdRisk Help Center
3rdRisk.com
3rdRisk Help Center
3rdRisk.com
Platform setup
Functional setup
Initial platform setup
Third party management
Third-party management high-level processContract catalogueThird-party catalogueEcosystemThird-party cockpit
Compliance management
Controls
Frameworks
Compliance management high-level processAvailable frameworksCompliance frameworks
Risk management
Risk management
Incident management
Incident Management high-level processIncident managementIncident management notification overview
Assessments
Ecosystem assessments
Internal control assessments
Tomorrow and beyond
Scheduling ecosystem assessments
Issues and action plans
IssuesAction plansIssue and action plan management high-level processIssues and action plans notification overview
Remediation plans
Remediation plans
Platform
DashboardContent hubMessages
Security
Authorisation matrixTwo-factor (2FA) authenticationAudit logForgotten usernameUpdate password
Integrations
Communication
Business Intelligence
External ratings
Single sign-on
Data
Corporate tooling
Platform update
Platform updates

Compliance frameworks

Your organisation and its employees must uphold many forms of compliance. You probably need to comply with relevant legislation (e.g. GDPR), one or more certifications (e.g. ISO 22301), maybe sustainability commitments (e.g. The SDGs from the UN) and any other internal or external standards.

As third parties play an essential part in your compliance environment, the platform contains an advanced framework module to facilitate all your internal and external compliance needs. No matter the type, scope or industry.

Concept

Within the 3rdRisk platform, you can manage (almost) all internal- and external requirements throughout your entire internal organisation and supply chain. You do not longer need a separate solution for that.

High-level concept of the 3rdRisk frameworks module

1. Identify

First, you need to know to which frameworks you have to adhere, whereby you have to take into consideration:

  1. The frameworks that you have to adhere to (including the different types, see table below)
  2. The frameworks that you are enforcing to your third parties
SourceTypeExplanationExamples
InternalOrganisation requirementCompliance rules and standards do not exclusively come from outside your organisation, you can also set internal standards and rules.Your standard operating procedures.
ExternalSustainability requirementSustainability criteria are requirements for a product's sustainable quality and production, which must be fulfilled to acquire a sustainability status or certification.SDGs, Rain Forrest Alliance, Fair Trade.
 Compliance attestation / certificationA certificate or attestation of compliance is a document that states the fulfilment of a given requirement. It is a formal certification/attestation that declares that an organisation met a set of conditions.ISO 9001, PCI-DSS, SOC2.
 Regulatory requirementEvery organisation needs to follow the rules and standards set for its industry. These rules are usually defined by government legislation or by proxy via government agencies.GDPR, HIPAA.
 Ecosystem requirementWithin most ecosystems, especially critical industries, it is essential that consistent standards, policies and processes are applied to a complete supply chain.The Airbus framework, Unilever Responsible Business Partner Policy.
 Stakeholder requirements / expectationIf you have entered into formal contracts with customers or another third party, the clauses of those contracts can also become requirements that you must adhere to. But this can also relate to expectations from specific interest groups, customers or your employees.Contracts, specific interest group manifests.

Start simple
The best practice is to start with a limited set of frameworks and first understand the platform. You can always add and update the frameworks at a later stage. You can even do this after a couple of years of usage, as we know every organisation will change over time.

2. Register

After you have (partly) identified all the applicable frameworks, you can easily register them in the 3rdRisk platform.

Within the frameworks module of 3rdRisk, you can:

  1. Search and adopt known International requirements (e.g. GDPR, ISO 27001, ISO 9001, Privacy Shield etc.) - See the complete available list
  2. Easily register all other internal and external requirements.
  3. Define your compliance requirements.

Scope
The organisation model defines the different scopes of an organisation's internal and external requirements.

Example

Example organisation with two requirements

Requirements scope
In the provided example, we have a Finance department that needs to adhere to the SSAE18 (SOC1) and an IT department to the ISO 27001:2013.

Applicability
You can define the applicability per framework. Is it, e.g. only applicable for a specific process, product, location or service?

Stakeholders and interested parties

Per framework, you can define the relevant internal and external parties:

  • Publisher of the requirement (e.g. ISO, US Congress)
  • Internal owner
  • Internal manager / SME
  • Involved risk officer
  • Other interested parties can be specific interest groups, local regulators, specific clients, and industry groups.

Third-parties & contracts
Understanding which third parties are fulfilling a role in your compliance landscape is critical. When a third-party or contract is added to the platform, the platform will automatically list the applicable frameworks and allows you to deselect the ones that are not applicable easily.

Frameworks and third-parties
By defining a framework within your organisation model, the platform will know when a third party might be within the scope of one or more frameworks.

Example organisation with an ISO 27001 requirement (scope = blue coloured)

Associate relevant frameworks with a new third-party or newly added contract. In the example, two third parties with three contracts are active within the ISO 27001 scope. When a new contract is added at the security team level/node, the platform will automatically propose registering this contract within the ISO 27001 scope.

3. Monitor & respond

During the life cycle of a requirement, you can monitor the third parties in scope by performing periodic assessments. Per requirement, you can define specific assessment templates, e.g. per type of service, geographical location, and language.

Assessment template per requirement

Per requirement, you can link multiple questionnaire templates.

One requirement can have multiple questionnaire templates.

You can upload your assessment templates or download one from the 3rdRisk platform store.

Performing an assessment
When initiating an assessment for a third party, the system will automatically list the applicable frameworks, and you can easily include the relevant controls and questionnaires in your assessment.

4. Reporting

The platform provides advanced and dynamic dashboard capabilities, providing you with continuous and real-time insights into your compliance landscape.

Add a framework

To create a new requirement within the platform:

  1. Navigate to: Left side menu: Frameworks
  2. Click on [+ Add framework or section]
  3. Provide the required details:
FieldKnown requirement on the 3rdRisk platformExplanation
Name *x

Name of the framework.
The platform will initially search the 3rdRisk store for known frameworks:

If the framework is already known on the platform (requirements listed with the green 3rdRisk logo - in the above example: ISO/IEC 27001), you can easily click on the provided entry, and the platform will auto-fill the specific details (see the second column).

You can reset the search by clicking on the blue reset icon.

We strongly encourage organisations to avoid creating new frameworks when a framework is already known on the platform. This is primarily for the accuracy of the central database and related questionnaires available on the platform. 

When a framework is not yet known in the 3rdRisk platform, you can easily add a new framework record by clicking on [+ Add framework as new framework].

Added to the platform byxThis read-only field is only visible when you are adding a known framework.

This field provides the name of the organisation that added this framework to the platform.
Description *xThis field is read-only when you are adding a known framework.

Free-format text box to provide some additional context for this framework
Type *xThis field is read-only when you are adding a known framework.

Dropdown field with the different framework types (table requirement types)
Publisher *xThis field is read-only when you are adding a known framework.

The organisation or author that published this framework.
Framework scope * 

With your organisation model, you define the scope of this framework:

You can select one or multiple elements/nodes in your organisation model. To deselect, select the element again.

Framework applicability Explanatory field to define the applicability of this framework. Define if it is, e.g. applicable for a particular type of product, service or geographical location.
Interested parties Define the involved, interested parties, e.g. governments, industry groups, and NGOs.
Framework manager * This colleague provides day-to-day support and implementation advice related to this framework.
Framework owner From a management perspective, the colleague is end-responsible for this framework's timely and effective implementation.
Risk officer * The responsible risk officer for this framework.

Only platform users with risk officer or risk manager roles can be selected.
Tags The tags-functionality can assign specific/internal labels to a framework. You can search, filter, and create specific reports based on these tags.

E.g. if you want to register all stakeholder frameworks that are also part of your ISO 27001 ISMS, you can add a tag named โ€œISMSโ€ to these frameworks. At a later stage, you can effortlessly search and export all stakeholder needs & expectations for your auditors.

Use the tab key on your keyboard to add multiple tags.
Add to your 3rdRisk organisation profile * If this is a framework that your clients and partners can also leverage, you can easily add this framework to your 3rdRisk organisation profile.

We will add the following fields: framework name, framework description, framework type, publisher and scope and applicability.
Discoverable * If this is a general framework or an ecosystem framework, you can easily add this framework to the 3rdRisk platform so also other organisations can search and adopt these in their frameworks module.

We will add the following fields: framework name, description, type, and publisher.

Required field *

4. Click on [Add framework], and the framework is added to your framework catalogue.

Update a framework

To update a framework on the platform:

  1. Navigate to: Left side menu: Frameworks
  2. Search for the applicable framework you would like to update
  3. Click on the sub-menu in the 'Actions column' and click 'Edit framework'
  4. Update the framework and click on [Edit framework].

Remove a framework

To remove a framework on the platform:

  1. Navigate to: Left side menu: Frameworks
  2. Search for the applicable compliance framework you would like to remove
  3. Click on the sub-menu in the 'Actions column' and click 'Edit framework'
  4. Click on the red coloured [Delete].

Known module limitations

  • You cannot add your compliance types - please register any ideas at support@3rdRisk.com.
  • The 3rdRisk organisation profile is not yet implemented and available - but choices you will make, e.g. by selecting that you want specific frameworks to be published on your profile, are stored and processed when the profile functionality is available.
English
Powered by Product Fruits