3rd party risk management

Answer:

Considering ISO 27001 requirements, 3rd party risk management is not much different from performing risk management on your own environment:
- Define risk assessment methodology
- Perform risk assessment
- Perform risk treatment
- Elaborate ISMS Risk Assessment Report
- Elaborate Statement of Applicability
- Define Risk Treatment Plan

The main difference is that you have to formally define the risk assessment and treatment methodology with the third-party, e.g., by means of a contract, and define clear roles and responsibilities for each part (e.g., the third party will identify and analyze risks while your organization will evaluate them during the risk assessment implementation).

These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to w rite ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

These materials will also help you regarding risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/