cdpse-d1-management-vendor-and-third-party-management

Vendor and Third-Party Management

isaca-cdpse · framework · Gold standard

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Vendor and Third-Party Management

Vendor and Third-Party Management is a structured governance lifecycle for identifying, assessing, contracting with, monitoring, and offboarding external organizations that access, process, store, or transmit an organization's personal data. It ensures that privacy obligations binding the primary organization — under regulation, contract, or policy — flow down to and are enforced against every third party in the data processing chain, including sub-processors. Within the ISACA CDPSE framework (Privacy Governance — Management), it is the operational mechanism by which an organization extends its privacy program beyond its own perimeter to the full ecosystem of vendors, service providers, and partners that touch personal data.

Where it stops · what it isn't

—IS: Pre-onboarding due diligence and risk assessment of vendors, covering privacy controls, security posture, jurisdictional compliance, and data handling practices
—IS: Contractual safeguards including Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs), Business Associate Agreements (BAAs), and sub-processor consent mechanisms
—IS: Ongoing vendor compliance monitoring through audits, questionnaires, security ratings, and incident notification obligations
—IS: Offboarding procedures covering data return, deletion, and written certification upon contract termination
—IS NOT: General IT procurement or vendor performance management unrelated to personal data handling
—IS NOT: Internal data governance controls applied solely within the organization's own systems
—IS NOT: Cybersecurity vendor management for tools that do not process personal data (e.g., network switches, non-data infrastructure)
—IS NOT: Customer or partner relationship management where personal data is not the primary subject of the relationship

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Privacy Governance — Management (CDPSE Domain 1)

REQUIRES

Data Inventory and ClassificationPrivacy Risk Assessment

ENABLES

Incident Response and Breach NotificationCross-Border Data Transfer Compliance

RELATED TO

Privacy Roles and ResponsibilitiesPrivacy Program Management

CONSTRAINS

Data Processing Activities (vendor-executed)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.