IT Third Party Risk Specialist

About the role

You will be responsible for assessing, monitoring, and managing IT and cybersecurity risks associated with third‑party vendors and service providers. The role works closely with Procurement, Legal, Compliance, Cybersecurity and IT teams to ensure risks are identified, evaluated and mitigated throughout the vendor lifecycle.

Key responsibilities

• Lead and perform IT risk assessments on third‑party vendors, including cloud services, SaaS, infrastructure providers and managed services.
• Define and maintain the third‑party risk management (TPRM) framework, processes and controls in line with internal policies, regulatory requirements and industry best practices.
• Collaborate with procurement and business units during vendor onboarding and renewal to conduct due diligence, risk reviews and control assessments.
• Evaluate vendor responses to security questionnaires and assess supporting documentation such as SOC reports, ISO certifications and penetration test results.
• Track and monitor identified risks, issues and remediation plans with vendors to ensure timely resolution.
• Conduct periodic reassessments of critical vendors to ensure ongoing compliance with security and data‑protection requirements.
• Support regulatory, audit and internal reporting by maintaining accurate third‑party risk records.
• Develop risk metrics, dashboards and reports for senior management and governance forums.

Required profile

• Bachelor’s degree in Information Technology, Cybersecurity, Risk Management or a related field.
• 3–8 years of experience in IT risk management, third‑party/vendor risk assessment or cybersecurity within a regulated industry.
• Strong knowledge of IT controls and security frameworks.
• Familiarity with regulatory requirements such as MAS TRM, GDPR, PDPA or equivalent.
• Excellent stakeholder management, communication and analytical skills.

Required skills

• Experience reviewing SOC reports, ISO certifications, penetration testing results and cloud security documentation.
• Knowledge of IT controls and security frameworks.
• Understanding of regulatory standards like MAS TRM, GDPR and PDPA.