Manage Third-Party Risk for Security+ (SY0-701)
Understand vendor assessment, selection, agreements, monitoring, and rules of engagement for the third-party-risk objectives on Security+.
Third-party risk exists because outside services, vendors, contractors, and partners can introduce security exposure long before an attacker appears. Security+ expects you to know that a popular vendor is not automatically a low-risk vendor. Assessment, contractual clarity, and ongoing monitoring still matter.
What the exam is really testing
CompTIA usually wants you to connect four things:
- what the third party handles
- how much access or dependency the organization gives them
- what evidence exists that the third party is operating securely
- what the organization will do if that provider fails, is breached, or underperforms
The strongest answer rarely says “trust the vendor.” It says “verify the controls, define the boundaries, and monitor the relationship.”
Third-party risk questions often involve
- vendor due diligence
- security questionnaires
- shared responsibility boundaries
- contract language, SLAs, and right-to-audit concepts
- access scope and rules of engagement
- ongoing vendor monitoring
The main decision pattern
Ask:
- What does the third party handle?
- What access do they have?
- What evidence of control maturity exists?
- What happens if they fail?
Those four questions usually point you to the strongest answer.
Vendor review checklist
| Review area | Why it matters |
|---|---|
| Data handled | Shows privacy and confidentiality exposure |
| Access scope | Shows what blast radius the vendor could create |
| Security evidence | Shows whether the vendor can prove control maturity |
| Contract and SLA terms | Clarify obligations, response expectations, and accountability |
| Ongoing monitoring | Confirms the relationship stays acceptable over time |
Small vendor-intake example
1vendor: payroll-processor
2data_types:
3 - pii
4 - payroll
5access:
6 - sftp-upload
7 - no production admin
8required_evidence:
9 - security_questionnaire
10 - incident_notification_terms
11 - right_to_audit_or_equivalent_assurance
12review_cycle: annual
What to notice:
- the vendor is scoped by data type and access path
- evidence and contract expectations are explicit
- third-party risk is operationalized, not left vague
Shared responsibility still needs verification
Cloud and SaaS providers often use shared-responsibility language. Security+ expects you to understand that shared responsibility does not mean “the vendor handles security.” It means boundaries must be understood and enforced. The organization still has to review access, monitoring, and response expectations carefully.
Common traps
- treating vendor selection as a one-time event
- forgetting ongoing monitoring after onboarding
- assuming the contract alone removes the security risk
- ignoring access scope for contractors or service providers
Harder scenario question
A company wants to use a SaaS vendor for storing regulated customer data. The vendor is well known, but the security team has not reviewed incident-notification obligations, access boundaries, or what evidence of control maturity is available. Which answer is strongest first?
A. Approve the vendor immediately because brand recognition lowers risk
B. Complete third-party due diligence, clarify contractual and notification obligations, and verify how the vendor’s controls align to the handled data and access scope
C. Share a permanent admin account so integration can start faster
D. Skip the review because the data will also be encrypted
Best answer: B. The strongest answer verifies scope, evidence, and accountability before sensitive-data onboarding.
Quiz
Continue with 5.4 Security Compliance & Privacy to connect vendor oversight to legal and privacy obligations.