PowerExams Prepare. Practice. Pass.

CIS-TPRM Study Guide — ServiceNow Certified Implementation Specialist, Third-party Risk Management

Trademark disclaimer. ServiceNow, Now Platform, and all related product and release names (e.g., Vendor Risk Management, Third-party Risk Management, Smart Assessment Engine, Integrated Risk Management, CMDB) are trademarks or registered trademarks of ServiceNow, Inc. BitSight, SecurityScorecard, RiskRecon, Interos, EcoVadis, and Dun & Bradstreet are trademarks of their respective owners. This is an independent, original study aid for exam preparation. It is not affiliated with, endorsed by, or sponsored by ServiceNow, Inc. All prose is original and written for learning purposes.

Exam-code note (READ FIRST — FLAG). ServiceNow publishes this certification as CIS-VRM (Certified Implementation Specialist — Vendor Risk Management) in some catalogs, while the underlying product was renamed from Vendor Risk Management (VRM) to Third-party Risk Management (TPRM) beginning with the Vancouver release (~August 2023). This guide uses CIS-TPRM per the blueprint and treats VRM and TPRM as the same product line. On the live exam and in docs you will see both names; doc URL paths still contain grc-vendor-risk, and the workspace is still often called the Vendor Risk Management Workspace. Treat "VRM" and "TPRM" as interchangeable unless a question hinges on the rebrand.

Exam at a glance: 60 questions, 90 minutes; multiple choice (single answer) and multiple select. Seven weighted domains. This guide is ordered by exam weight, heaviest first, so your study time tracks the question count.

# Domain Weight
3 Assessment Configuration 25%
1 VRM Fundamentals and Review 24%
5 Vendor Portal Configuration 15%
2 Core Configuration 13%
4 Risk Issues and Processes 13%
6 Other Application Relationships 5%
7 Dashboards and Reports 5%

Domain 3 — Assessment Configuration (25%)

This is the single heaviest domain. Master how assessments are built, generated, scored, and progressed through their life cycle.

Building blocks: templates, questionnaires, document requests

An assessment in TPRM combines two collection mechanisms: questionnaires (sets of questions the third party answers) and document requests (artifacts such as SOC 2 reports or certifications the third party uploads). Both feed the score.

Assessment templates are reusable containers that bundle the questionnaires, document requests, and scoring rules to apply for a given situation. Because they are reusable, a template can be triggered repeatedly as a third party's risk tier or responses change, without rebuilding the assessment each time. Questionnaire and document-request templates are themselves managed objects (created/edited by the Third-Party Risk Admin role).

TPRM supports industry-standard questionnaires, notably the SIG (Standardized Information Gathering) questionnaire from Shared Assessments, so organizations can assess vendors consistently and at scale rather than authoring every question from scratch.

Risk areas (risk domains) and weighting

Assessments are organized by risk area / risk domain. Out-of-the-box areas include security risk, privacy and data protection, regulatory/compliance, financial risk, operational risk, business continuity, and resilience. Each risk area is assigned a weight and a scoring method. The weight is a numeric value expressing the relative importance of that area — a higher weight means that area contributes more to the overall rating. This is how an implementer makes, say, security risk matter more than operational risk for a critical SaaS vendor.

Scoring and rating calculations (classic engine)

Under the classic assessment engine, the assessment rating is calculated by averaging the questionnaire and document-request scores within each risk area, then multiplying by that risk area's weight. A normalized value is derived by multiplying a category's rating by its weight, which standardizes comparison across categories of differing weight.

The resulting risk score is mapped to a band using a risk rating scale. The default scale takes a score on a 0–100 range and maps it to a five-tier band: 1 – Very High, 2 – High, 3 – Medium, 4 – Low, 5 – Very Low. The default scoring rule relies on "default risk criteria" and "default component criteria" (the default component criteria consider only third-party risk assessment results). Implementers can configure these rating scales and scoring rules.

Watch the direction of the scale. A low number (1) means higher risk (Very High), and a high number (5) means lower risk (Very Low). Exam items like to invert this.

Smart Assessment Engine (SAE)

The Smart Assessment Engine is a shared/core capability across the ServiceNow GRC (IRM) portfolio — common assessment infrastructure used by multiple modules, not a standalone tool. It is the forward-looking alternative to the classic engine. (The classic-engine scoring doc page is now explicitly titled for the "classic" engine, signaling the two coexist; the older external-assessment creation flow is now labeled the "Legacy process.")

Key SAE concepts:

  • Assessment metric categories group related metrics; each category and metric carries a weight.
  • Scoring can be configured at the question, subsection, section, and assessment levels, with optional normalization for fair cross-assessment comparison.
  • A weighted, normalized score is calculated for each target record. Questions and section metrics can be reused as variables.
  • In TPRM, SAE enables automated third-party assessments with scoring, issue generation, and event-driven rules.

Assessment generation, scheduling, and submission rules

Assessments can be generated automatically rather than hand-launched. Two submission rule types drive this:

  • Tier-based submission rules — auto-submit an assessment to a third party based on the third party's tier + an assessment template.
  • Provider-based submission rules — auto-submit based on a security-score provider, the vendor, the security score, and the vendor tier (i.e., an external rating feed can trigger an assessment).

For continuous coverage, organizations configure recurring reassessment cycles (e.g., annual). Assessments are distributed to the third party at the configured interval, and an assessment can auto-submit when a tier changes — provided a primary contact exists to receive it.

Assessment life cycle states

The third-party (external) risk assessment progresses through states. The documented progression is approximately: Draft → Submitted to vendor → Responses received → Generating observations → Finalizing with vendor → Closed. During "Submitted to vendor", the third party works the tasks, issues, and questionnaires. For an internal-only assessment, the Submitted to Vendor → Finalize with Vendor steps can be bypassed (no external party to wait on).

Disambiguation (FLAG). Do not conflate the assessment record states (Draft / Submitted to vendor / Responses received / Generating observations / Finalizing with vendor / Closed) with the issue/record workflow wording (New / Analyze / Submitted to Vendor / Finalize with Vendor / Review / Closed Complete). The exam may test exact labels for each — read the official "Life cycle states of a third-party (external) risk assessment" page directly to confirm.


Domain 1 — VRM Fundamentals and Review (24%)

What the product does

ServiceNow Third-party Risk Management provides a centralized process for managing a third-party portfolio and completing the third-party assessment and remediation life cycle — assessing, mitigating, remediating, and continuously monitoring risk across the third-party ecosystem. It maintains an inventory of third parties, their risk tiers, engagement details, and contacts.

VRM → TPRM rename and scope expansion

The product was renamed from Vendor Risk Management to Third-party Risk Management in the Vancouver release, and TPRM was built on the existing VRM foundation. The rename reflects a scope expansion beyond IT vendors: where VRM centered on technology/IT partner risk, TPRM also covers suppliers, service providers, partners, facilities, contractors, and even customers.

Third parties, engagements, hierarchy, and tiering

  • Third party (vendor) record — the master record for a supplier/partner. Carries the current risk tier, which reflects the latest approved tiering assessment.
  • Engagement — documents a distinct product or service a third party provides. Different engagements need different depths of risk data based on data sensitivity, system access, and business impact. One third party can have many engagements.
  • Vendor hierarchy / relationships — third parties can be related to one another (e.g., parent/subsidiary, fourth-party relationships), supporting concentration and dependency analysis.
  • Tiering / criticality — third parties are classified by criticality (commonly Tier 1 High/Critical, Tier 2 Medium, Tier 3 Low). The tier is set by a tiering assessment and surfaces on the third-party record after approval.

Inherent Risk Questionnaires (IRQs) and Due Diligence

An Inherent Risk Questionnaire (IRQ) produces a risk score via a configurable scoring model that determines the scope and frequency of due diligence and can dynamically trigger external questionnaires based on the answers and resulting tier.

The Due Diligence process (a flagship TPRM-era capability) is a guided flow spanning onboarding due diligence → automated assessment → domain-specific information validation → ongoing engagement-level monitoring → issue remediation → renewal/offboarding. TPR Managers approve due-diligence requests; IRQs are created and assigned to TPR Assessors. This lets risk teams engage earlier in the engagement life cycle.


Domain 5 — Vendor Portal Configuration (15%)

The Third-Party Portal

The Third-Party Portal (formerly the Vendor Portal) is a secure, external-facing interface where third parties collaborate with the risk team: view and respond to assessments, upload requested documents, and track tasks and deadlines. It is how external parties participate without access to the full Now Platform instance.

External user access and portal roles

Third-party contacts become external users. Each is automatically assigned two roles:

  • vendor_contact — grants access to the Third-Party Portal.
  • snc_external — restricts the user to the portal only, preventing access into the full instance.

Together these mean a vendor contact can log in and work assessments but cannot roam the customer's instance.

Contacts and the primary contact

Each third party must have at least one primary contact. The primary contact receives assessment questionnaires. A TPR Manager or Assessor — or the primary contact themselves — can create additional contacts. Contacts can delegate tasks, update their information, and set notification preferences from the portal.

Responding to assessments

Vendors respond online in the portal and can use "Save and Sign" to apply an e-signature (typed or drawn). Alternatively they can use an offline path: download an Excel template, complete it offline, and re-import the responses.


Domain 2 — Core Configuration (13%)

Roles (hierarchy, each inherits the one below)

  • Third-Party Reader — read access to third-party and contact records.
  • Third-Party Editor — create/update/delete third-party and contact records.
  • Third-Party Assessment Reviewer (sn_vdr_risk_asmt.vendor_assessment_reviewer) — view assessment and questionnaire data.
  • TPR Assessor (sn_vdr_risk_asmt.vendor_assessor) — reviewer permissions plus manage third parties, engagements, assessments, and issues.
  • TPR Manager (sn_vdr_risk_asmt.vendor_risk_manager) — assessor permissions plus manage assessment templates, scheduled assessments, property settings, and scoring rules.
  • Third-Party Risk Admin — manager permissions plus create/edit questionnaire and document-request templates.

The exact internal ID for "Third-Party Risk Admin" should be confirmed on the live roles page (see grounding). The four IDs above are the load-bearing ones to memorize.

Plugins / Store applications to activate

Standing up TPRM typically requires installing:

  • Third-party Risk Management app — com.sn_vdr_risk_asmt
  • Due diligence request workflow app — com.sn_tprm_dd
  • Vendor Risk Management Workspace app — sn_vrm_ws

On older (pre-Madrid) instances, the legacy entry point was the GRC: Vendor Risk Management plugin (com.sn_vdr_risk_asmt).

Tiering setup

Risk tiering is configured via tiering assessments and IRQ scoring models. The tiering score classifies the third party (Tier 1/2/3 by criticality) and the value lands on the third-party record once the tiering assessment is approved, reflecting the most recent approved result.


Domain 4 — Risk Issues and Processes (13%)

Issues

A vendor risk issue captures a problem surfaced by an assessment, an observation, or monitoring. Creating a new issue requires: name, description, category, priority, and the related third party or engagement.

Remediation tasks and the issue workflow

Once an issue is analyzed, remediation tasks/actions are generated, assigned to the third party as needed, and tracked through issue execution → internal review → closure. The conceptual issue workflow follows New/Analyze → (work) → Review → Closed Complete.

Tasks

Tasks can be associated with a specific assessment or a specific issue. In the Risk tab of the Vendor Risk Management Workspace, you can view all tasks tied to third parties/engagements along with their status.

Continuous monitoring drives issues

SAE event-driven rules and external rating-feed thresholds can automatically create issues — for example, generating an issue when a vendor's external cyber score drops below a configured threshold (see Domain 6).


Domain 6 — Other Application Relationships (5%)

Part of Integrated Risk Management (IRM/GRC)

TPRM is a component of ServiceNow Integrated Risk Management (IRM), which unifies risk data across Policy & Compliance Management, Risk Management, Compliance Case Management, audit, and third-party risk. (IRM Standard bundles Policy & Compliance Management, Compliance Case Management, and Risk Management.)

CMDB

The CMDB provides shared context across systems, assets, and business services used in risk analysis. TPRM and IRM lean on this for linking third parties/engagements to the business applications and services they support.

Continuous monitoring — external risk-intelligence providers

TPRM integrates external risk-intelligence / security-rating feeds for continuous monitoring. Incoming provider scores can auto-update third-party records and trigger threshold-based workflows (e.g., create an issue when a score drops). Provider domains and example integrations (available as ServiceNow Store apps):

  • Cyber security ratings: BitSight, SecurityScorecard, RiskRecon (by Mastercard), UpGuard
  • Supply chain: Interos
  • ESG: EcoVadis
  • Financial: Dun & Bradstreet
  • Sanctions/screening: World-Check

Domain 7 — Dashboards and Reports (5%)

Vendor Risk Management Workspace

The Vendor Risk Management Workspace is the single-pane workspace for third-party risk managers. It shows the overall risk posture of the third-party ecosystem, supports day-to-day work (performing/tracking assessments, issues, tasks), and offers a home page of actionable insights and quick links.

Vendor Risk Overview reports

Out-of-the-box Vendor Risk Overview reports/dashboards give visibility into vendor tiering, risk and tier assessment plans, open issues, and risk across vendors.

Performance Analytics and platform reporting

Dashboards are customizable; reports can be scheduled or run on demand using standard platform reporting and Performance Analytics. A GRC Risk Management PA content pack exists at the broader IRM/Risk layer. (There is no separately named, dedicated "TPRM Performance Analytics content pack" confirmed in docs — reporting is delivered via the workspace + Vendor Risk Overview reports + platform PA.)


Fast-recall cheat list

  • Exam: 60 Q / 90 min; single + multi-select. Heaviest domains: Assessment Configuration 25%, VRM Fundamentals 24%.
  • Rename: VRM → TPRM in Vancouver; published exam code may read CIS-VRM; doc paths keep grc-vendor-risk.
  • Scope: TPRM covers vendors, suppliers, service providers, partners, facilities, contractors, even customers — not just IT.
  • Assessment = questionnaires + document requests. Templates are reusable containers. SIG questionnaire supported.
  • Risk areas: security, privacy/data protection, compliance, financial, operational, business continuity, resilience — each weighted.
  • Classic scoring: average questionnaire + document-request scores per risk area × area weight; normalized value = rating × weight.
  • Rating scale: score 0–100 → bands 1 Very High … 5 Very Low (low number = high risk).
  • Smart Assessment Engine: shared GRC engine; scoring at question/subsection/section/assessment levels; optional normalization; weighted normalized score per target; issue generation + event-driven rules.
  • Submission rules: Tier-based (tier + template) vs Provider-based (provider + vendor + score + tier). Recurring reassessment; auto-submit on tier change if primary contact exists.
  • Assessment states: Draft → Submitted to vendor → Responses received → Generating observations → Finalizing with vendor → Closed. Internal-only can skip the vendor steps.
  • Portal roles: vendor_contact (portal access) + snc_external (portal-only restriction). Primary contact receives questionnaires.
  • Response: online "Save and Sign" e-signature, or offline Excel download → re-import.
  • Roles ladder: Third-Party Reader → Editor → Assessment Reviewer (vendor_assessment_reviewer) → TPR Assessor (vendor_assessor) → TPR Manager (vendor_risk_manager) → Third-Party Risk Admin.
  • Plugins: com.sn_vdr_risk_asmt (TPRM), com.sn_tprm_dd (Due Diligence), sn_vrm_ws (Workspace).
  • Tiering: Tier 1/2/3 by criticality; set by tiering assessment, lands on record when approved. IRQ drives due-diligence scope/frequency.
  • Due Diligence: onboarding → automated assessment → validation → ongoing monitoring → remediation → renewal/offboarding.
  • Issue fields: name, description, category, priority, related third party/engagement → remediation tasks → execution → review → closure.
  • Monitoring providers: BitSight, SecurityScorecard, RiskRecon, UpGuard (cyber); Interos (supply chain); EcoVadis (ESG); Dun & Bradstreet (financial); World-Check (sanctions). Threshold breach can auto-create issues.
  • Reporting: Vendor Risk Management Workspace + Vendor Risk Overview reports + Performance Analytics.

Items flagged with internal-ID or content-pack caveats above are noted as watch items in grounding.md. Verify any UNVERIFIED detail against the official current-release docs before relying on it.