TPRM Consultant
from đľđ Philippines
JOB SUMMARY
We're looking for a TPRM Consultant with strong Governance, Risk, and Compliance (GRC) experience to support vendor oversight and information security compliance initiatives, including ISO 27001 audit readiness and ISMS certification. Â This consultant will build and operate its vendor/third-party risk management program on an ongoing, hourly contract basis. This is a project-based engagement focused on strengthening vendor risk management practices and preparing the organization for certification.
Â
JOB RESPONSIBILITIES
- Develop and build an end-to-end TPRM Program - onboarding, risk assessments, performance monitoring, and offboarding
- Support ISO 27001 audit readiness activities, including gap assessments and remediation tracking as needed.
- Assess third-party/vendor risk exposure and ensure compliance with security and regulatory requirements.
- Coordinate with internal stakeholders (IT, Legal, Security, Procurement) to align the TPRM Program with existing frameworks
- Develop and build the vendor risk registers, compliance trackers, and audit documentation as the single source of truth, keeping it current and audit-ready
- Support internal and external audits, liaising with certification bodies as needed
- Design the TPRM policy, procedure, and risk-tiering methodology (critical/high/medium/low based on data access, business impact, and regulatory exposure)
- Build vendor risk assessment templates (SIG/CAIQ-aligned questionnaires, DPIA triggers for vendors processing personal data)
- Establish the vendor inventory/register and define onboarding, monitoring, and offboarding workflows
- Recommend standard security/privacy contract clauses and Data Processing Agreement (DPA) templates for Legal and Procurement to adopt
- Own and execute the full vendor risk assessment lifecycle across all tiers on the defined cadence (e.g., annual for critical, biennial for lower risk)
- Continuously monitor vendor risk posture (security ratings platforms, incident tracking, contract or scope changes) and reassess as needed
- Coordinate with Legal/Procurement on contract renewals, DPA updates, and sub processor changes
- Support internal and external audits (ISO 27001, customer security reviews) with TPRM evidence and documentation
- Prepare and present vendor risk metrics, top risks, and program status to leadership/risk committee on a regular cadence (e.g., monthly or quarterly)
- Provide guidance and light training to internal stakeholders (Procurement, business owners) on TPRM policy and process
- Develop the SOP for managing vendor offboarding, including secure data return/destruction confirmation and access revocation tracking
- Periodically refine the program (policy updates, template improvements, tooling optimization) as the vendor landscape and regulatory environment evolve
- Reduce weekly hours once the vendor register is complete and the first full assessment cycle has closed, in agreement with the organization
QUALIFICATIONS
- Proven experience in Vendor/Third-Party Risk Management
- Solid background in GRC frameworks and practices
- Experience preparing organizations for ISMS certification and Hands-on experience with ISO 27001 auditing (internal or external)
- Familiarity with risk assessment methodologies and compliance reporting
- Strong stakeholder management and cross-functional coordination skills
- Strong working knowledge of ISO 27001, SOC 2, NIST CSF/800-53, GDPR (Art. 28, 32), and CCPA
- Hands-on experience reviewing SOC 2 reports, ISO certificates, penetration test results, and vendor security questionnaires (SIG, CAIQ)
- Experience drafting or advising on DPAs, security addenda, and sub-processor clauses
- Comfortable operating as the embedded/de facto TPRM function â proactive, autonomous, and reliable on a recurring cadence rather than a one-time deliverable
- Strong written and verbal communication skills, including presenting to executive stakeholders
- Available for a sustained, ongoing commitment: 15â20 hours/week during the build phase, reducing thereafter
Â
NICE TO HAVE:
- Certifications: CTPRP (Certified Third-Party Risk Professional), CISSP, CISA, CRISC, or CIPP/E
- Prior experience serving as an embedded or fractional TPRM/GRC consultant for one or more organizations concurrently
- Familiarity with security ratings platforms (BitSight, Security Scorecard, UpGuard)
- Industry vertical experience matching the organization (financial services, healthcare, SaaS, etc.)
- Experience mentoring and eventually transitioning the function to an internal hire, as needed
- ISO 27001 Lead Auditor / Lead Implementer certification
- Experience in tech/IT services or BPO industry
- Exposure to other frameworks (SOC 2, NIST, GDPR)
Â







