Third Party Cyber Risk Assessor (TPCRA) Certification
The TPCRA Certification is a specialized qualification designation to confirm your understanding and skill in the assessment of third party cyber security controls and processes, as well as validate your competency in the creation, execution, and management of third party cyber risk assessments. The TPCRA Certification will also authenticate and add credibility to your expertise as a third party cyber risk assessor.
Who the TPCRA is for
The TPCRA is the standard of achievement for those who assess, monitor, and review third party cyber security and information technology controls, as well as identify and mitigate the risk related to those controls. Such roles may include, but not be limited to, Third Party Risk Management Practitioners, Procurement Specialist, Vendor Managers, Auditors, Information Security Professionals, Privacy or Compliance Specialists, or Legal Professionals.
Why You Need the TPCRA
The TPCRA Certification is foundational to achieving success as a third party risk management practitioner. This certification will evidence your proficiency with various cyber security and information technology assessment techniques and terms.
Certification Eligibility Criteria
At least three years in a full-time risk management/analyst and/or cybersecurity related role. Substitutions may be obtained for a maximum of one year, which include, but is not limited to:
60 to 120 completed university semester credit undergraduate hours in an information security and/or information technology-related major.
A master’s degree in information security or information technology from an accredited university.
An active information security-related certification from an accredited institution. Examples include, but are not limited to, the CISSP, Security+, CRISK, CISA, CISM.
Additional substitutions for work experience will be taken into consideration during the application process and reviewed/approved by the TPRA.
No traditional university degree requirement.
Adhere to the Code of Practitioner Conduct (to be created). Include being open with knowledge and actively work to advance the industry.
Deferred Achievement Option – Should you wish to sit for the examination prior to meeting the work experience requirement, you may do so if you will meet the minimum work experience within the next 24 months. If you pass the examination, you will then receive your certification status once you meet the minimum work experience requirements, pending all other validation requirements have been achieved.
The examination is a 200 question, multiple choice assessment taken virtually via the TPRA testing platform.
Time limit of 4 hours.
The examination is a closed book assessment that will be virtually monitored via an assigned proctor (therefore, your computer or laptop must have video capabilities and be turned on for the exam).
The examination will cover the following domains:
Cybersecurity and Third Party Risk Management Basics
Pre-Contract Due Diligence
Disengagement Due Diligence
Cloud Due Diligence
Reporting and Analytics
Submit a TPCRA application down below.
Evidence your related full-time work experience and/or approved substitution alternative. See acceptable evidence types.
Sign the Code of Practitioner Conduct agreement.
Submit your certification processing fee of $400.
Schedule an exam.
Examination Preparation & Training
TPCRA Certification applicants may choose to purchase the book “Cybersecurity & Third Party Risk” by author Gregory C. Rasner to prepare for the examination. This book closely aligns with the TPRCA Certification examination domains.
TPCRA Certification applicants are eligible to participate in optional training for a $500 fee, which includes a copy of the “Cybersecurity & Third Party Risk” book.
Training provides you with 21 hours of in-depth discussion on the examination domains, hands on experience designing and performing cyber assessments, as well as opportunities to perform mock interviews and run through physical validation scenarios.
Training is taught by a knowledgeable subject matter expert who has achieved the TPCRA Certification designation.
Examination - $400 for Standard Practitioner Members & Non-Members. $340 for Premium Members.
Training - $500 for Standard & Non-members. $425 for Premium Members. To include the book “Cybersecurity & Third Party Risk” by author Gregory C. Rasner.
Examination + Training Bundle - $800 for Standard & Non-Members. $700 for Premium Members. To include the book “Cybersecurity & Third Party Risk” by author Gregory C. Rasner.
Retake - $200 amount. Must wait 60 days to retake if fail.
Certification Renewal - $100 for Standard Practitioner Members and Non-Members. $85 for Premium Members.
(OPTIONAL: book is included in the cost of Training, or can be purchased separately)
The secret is out: If you want to attain protected data as a hacker, you do not attack a big company or organization that likely has good security. You go after a third party that more likely does not. Companies have created the equivalent of how to deter car thieves: Ensure that your car looks difficult enough to break into so that thieves move onto the automobile with its doors unlocked and keys in the ignition. When a burglar sees a car with a car alarm, they know that they can look and eventually find a target that isn't so well protected. Exploiting the weakest link is not new. A bank robber could go to the bank to steal money, but a softer target would likely be the courier service as they bring the money into and out of the bank.
Learn what the risk is and how to assess the cyber risk
Step-by-step guide on how to create a cyber-risk third-party risk management program without having to be a cyber or risk management expert
Create a mature cyber-focused third-party risk management program that is predictive and less reactive
Learn how to secure your data in a vendor's cloud and how to secure your software supply chain.
Greg Rasner, CISSP, CIPM, ITIL, CCNA
Author of "Cybersecurity & Third-Party Risk", SVP of Cyber Third Party Risk at Truist, Educator, and Frequent Keynote Speaker
Greg has worked as a cybersecurity and IT leader in Finance, Biotech, Technology and Software fields. He holds a BA from Claremont McKenna College along with certifications: CISSP, CCNA, CIPM, ITIL. He is the author of the book “Cybersecurity and Third Party Risk: Third Party Threat Hunting” published by Wiley, written several online articles for major publications, and is a frequent speaker at forums and conferences on related topics. He has five kids and a wife who is also a cybersecurity professional. Rasner was in the USMC and was co-chair for the Truist Veterans and First-Responders Business Resources Group. Greg created the cybersecurity program at Johnston Community College, is a board member on the Technology Advisory Board, and teaches there part-time at JCC as well. Fun for him is camping and traveling with his family.
Select the option below which most closely aligns with your current TPRA Membership status in order to navigate to the correct Exam Application.
By completing and submitting the application, you attest that your answers are truthful to the extent of your ability and knowledge. Failure to provide accurate information will result in your application being rejected and put your eligibility for future TPRA certifications under consideration by TPRA staff, Certification personnel, and the TPRA Board of Directors.