top of page
-
Examination OutlineThe examination is a 150-question, multiple-choice assessment. Questions will include a variety of formats, such as scenario-based, true or false, and choose the best response. The time limit is 3 hours. The examination will be taken in person at a PearsonVue testing facility. PearsonVue offers over 5,000 test facilities worldwide and is ADA-compliant. If you have a special request for accommodations, please contact Julie Gaiaschi at julie@tprassociation.org. The examination is a closed-book assessment that will be monitored via an assigned proctor. The examination will cover the following domains: Cybersecurity and Third Party Risk Management Basics Pre-Contract Due Diligence Continuous Monitoring Physical Validation Disengagement Due Diligence Cloud Due Diligence Reporting and Analytics Practitioner Ethics You must receive an 80% or higher score to pass the TPCRA examination. Examinations may be scheduled at a day/time that suits you via a PearsonVue location. Once the exam and/or training and exam bundle is purchased and approved by TPRA, you will receive an email with a link to register for your exam via the PearsonVue system. Following purchase, you have one (1) year to take your examination.
-
Certification Eligibility CriteriaTo be eligible for the TPCRA certification, you must have at least three years of experience in a full-time risk management/analyst and/or cybersecurity related role. Evidence of work experience must be submitted via the "TPCRA Work Experience Form" linked below. Substitutions may be obtained for up to one year of work experience. Substitutions may include, but are not limited to: 60 to 120 completed university semester credit undergraduate hours in an information security and/or information technology-related major. A master’s degree in information security or information technology from an accredited university. An active information security-related certification from an accredited institution. Examples include, but are not limited to, the CISSP, Security+, CRISK, CISA, CISM. Additional substitutions for work experience will be taken into consideration during the application process and reviewed/approved by the TPRA. In addition, you must sign and adhere to the Code of Practitioner Conduct (linked below).
-
Deferred Achievement OptionShould you wish to sit for the examination prior to meeting the minimum work experience requirement, you may do so if you will meet the requirement within the next 24 months. If you pass the examination, you will then receive your certification status once you meet and evidence the minimum work experience requirement, pending all other validation requirements have been achieved.
-
Certification Pricing“Cybersecurity & Third Party Risk” by Gregory C. Rasner All Training and Training & Exam Bundles include a copy of the book. Alternatively, anyone is welcome to purchase the book separately – Purchase on Amazon
-
Preparation & TrainingTPCRA Certification applicants may choose to purchase the book “Cybersecurity & Third Party Risk” by author Gregory C. Rasner to prepare for the examination. This book closely aligns with the TPRCA Certification examination domains. You may also choose to participate in optional TPCRA training, which includes a copy of the “Cybersecurity & Third Party Risk” book. Training provides you with 12 hours of in-depth discussion on the examination domains, hands on experience designing and performing cyber assessments, as well as opportunities to perform mock interviews and run through physical validation scenarios. Training is taught by a knowledgeable subject matter expert who has achieved the TPCRA Certification designation.
-
Certification Training Schedule
-
“Cybersecurity & Third Party Risk” – Book“Cybersecurity & Third Party Risk” by Gregory C. Rasner (OPTIONAL: Book is included in the cost of Training, or can be purchased separately) The secret is out: If you want to obtain protected data as a hacker, you do not attack a big company or organization that likely has good security. You go after a third party that more likely does not. Companies have created the equivalent of how to deter car thieves: Ensure that your car looks difficult enough to break into so that thieves move onto the automobile with its doors unlocked and keys in the ignition. When a burglar sees a car with a car alarm, they know that they can look, and eventually find, a target that isn't so well protected. Exploiting the weakest link is not new. A bank robber could go to the bank to steal money, but a softer target would likely be the courier service as they bring the money into and out of the bank. In this book you will find: An in-depth discussion on what risk is and how to assess cyber risk A step-by-step guide on how to create a cyber-focused third party risk management (TPRM) program without having to be a cyber or risk management expert Tips for create a more mature TPRM program that is more predictive and less reactive Details for ensuring your data is secure in a cloud environment and/or within your software supply chain.
-
TPCRA Training InstructorGreg Rasner, CISSP, CIPM, ITIL, CCNA Author of "Cybersecurity & Third-Party Risk", SVP of Cyber Third Party Risk at Truist, Educator, and Frequent Keynote Speaker Gregory C. Rasner has worked as a cybersecurity and IT leader in Finance, Biotech, Technology and Software fields. He holds a BA from Claremont McKenna College along with certifications: CISSP, CCNA, CIPM, ITIL. He is the author of the book “Cybersecurity and Third Party Risk: Third Party Threat Hunting” published by Wiley, written several online articles for major publications, and is a frequent speaker at forums and conferences on related topics. He has five kids and a wife who is also a cybersecurity professional. Rasner was in the USMC and was co-chair for the Truist Veterans and First-Responders Business Resources Group. Greg created the cybersecurity program at Johnston Community College, is a board member on the Technology Advisory Board, and teaches there part-time at JCC. Fun for him is camping and traveling with his family.
-
Certification RenewalIn order to maintain certification status, earners must participate in 20 hours of Continuing Professional Education (CPE). On an annual basis, certified individuals will be required to renew their certification and submit evidence of their CPE credits earned. A process is coming soon for submitting CPE evidence and renewing your Certification. Renewal Cost TPRA Standard, Vendor, & Non-Members: $100 TPRA Premium Practitioner Members: $85
-
RegistrationTo register for the certification, please follow the below steps: Review the Code of Practitioner Conduct agreement. (You will be able to provide a signature noting your agreement to the Code of Conduct within the TPCRA Application form Complete and submit the TPCRA application using the links below. Please allow up to two weeks for your application to be reviewed. Submit your certification processing fee. Receive an email noting your application has been received, as well as next steps. Evidence your related full-time work experience and/or approved substitution alternative. Upload here. (The "TPCRA Work Experience Form", as well as the link to upload your form will also be noted within your application confirmation email.) You will receive email confirmation once your application is approved or if additional information is required. You do not need to have an "Approved" application before you sit for your exam. You do need to have an "Approved" application, as well as a passing grade on the examination, to receive the TPCRA designation. You will receive an email with links to register for your training and/or examination dates.
-
What is the TPCRA?The TPCRA Certification is a specialized qualification designation to confirm your understanding and skill in the assessment of third party cyber security controls and processes, as well as validate your competency in the creation, execution, and management of third party cyber risk assessments. The TPCRA Certification will authenticate and add credibility to your expertise as a third party cyber risk assessor. It is foundational to achieving success as a third party risk management practitioner. This certification will evidence your proficiency with various cyber security and information technology assessment terms and techniques.
-
Who is the TPCRA for?The TPCRA is the standard of achievement for those who assess, monitor, and review third party cyber security and information technology controls, as well as identify and mitigate risk related to said controls. Such roles may include, but not be limited to: Third Party Risk Management Practitioners Procurement Specialist Vendor Managers Auditors Information Security Professionals Privacy or Compliance Specialists Legal Professionals
-
What is the cost of TPCRA certification?TPCRA pricing varies depending on your Third Party Risk Association membership status. See below for details: Examination - $500 for TPRA Members & Non-Members. $425 for TPRA Premium Practitioner Members. Training - $400 for TPRA Members & Non-members. $340 for TPRA Premium Practitioner Members. (Includes the book “Cybersecurity & Third Party Risk” by Gregory C. Rasner) Examination + Training Bundle - $800 for TPRA Members & Non-Members. $700 for TPRA Premium Practitioner Members. (Includes the book “Cybersecurity & Third Party Risk” by Gregory C. Rasner) Examination Retake Fee - $200 for TPRA Members & Non-Members. Must wait a minimum of 60 days from the completion of the last TPCRA exam to retake. Optional Book - You may choose to purchase separately the book “Cybersecurity & Third Party Risk” by author Gregory C. Rasner - Purchase on Amazon
-
What is the process for applying for and obtaining the TPCRA certification?Review the Code of Practitioner Conduct agreement. (You will be able to provide a signature noting your agreement to the Code of Conduct within the TPCRA Application form.) Complete and submit the TPCRA application. Please allow up to two weeks for your application to be reviewed. Submit your certification processing fee. Following purchase of examination or bundle, you have one (1) year to take your examination. Receive an email noting your application has been received, as well as next steps. Complete the "TPCRA Work Experience Form" to evidence your related full-time work experience and/or approved substitution alternative. Upload here. You will receive email confirmation once your application is approved or if additional information is required, as well as links to register for your training and/or examination dates. You do not need to have an "Approved" application before you sit for your exam. You do need to have an "Approved" application, as well as a passing grade on the examination, to receive the TPCRA designation. Register for your training and/or examination. Attend training (if applicable). Successfully complete and pass the TPCRA examination with a score of 80% or above. Receive TPCRA certification designation, including a digital credential badge via Credly and paper certificate via mail to showcase your accomplishment.
-
How long does it take for my application to be approved?Please allow up to two weeks for application approval. Upon approval, you will receive a confirmation email with information on next steps.
-
What professional experience is needed to qualify for the TPCRA certification?Individuals interested in obtaining the TPCRA certification must have at least three years of experience in a full-time risk management/analyst and/or cybersecurity related role. Substitutions may be obtained for up to one year of work experience. Substitutions may include, but are not limited to: 60 to 120 completed university semester credit undergraduate hours in an information security and/or information technology-related major. A master’s degree in information security or information technology from an accredited university. An active information security-related certification from an accredited institution. Examples include, but are not limited to, the CISSP, Security+, CRISK, CISA, CISM. Additional substitutions for work experience will be taken into consideration during the application process and reviewed/approved by the TPRA.
-
How do I evidence my professional/work experience?Evidence your work experience by completing the "TPCRA Work Experience Form" and submitting here.
-
What if I wish to sit for the exam prior to meeting the work experience requirements?Should you wish to sit for the examination prior to meeting the minimum work experience requirement, you may do so if you will meet the requirement within the next 24 months. If you pass the examination, you will then receive your certification status once you meet and evidence the minimum work experience requirement, pending all other validation requirements have been achieved.
-
What is the TPCRA examination process?Following completion and approval of your application and work experience, you will be sent details on how to schedule your exam with our testing vendor, PearsonVue. The TPCRA Examination is a 200 question, multiple choice assessment with a time limit of 4 hours, to be taken in-person at one of PearsonVue's 5,000 worldwide test facilities at a time and place of your choosing. Questions will include a variety of formats, such as scenario-based, true or false, and choose the best response. The examination will cover the following domains: Cybersecurity and Third Party Risk Management Basics Pre-Contract Due Diligence Continuous Monitoring Physical Validation Disengagement Due Diligence Cloud Due Diligence Reporting and Analytics You must receive an 80% or higher score to pass the TPCRA examination.
-
What domains are covered in the exam?Master the domains of: Cybersecurity and Third Party Risk Management Basics Pre-Contract Due Diligence Continuous Monitoring Physical Validation Disengagement Due Diligence Cloud Due Diligence Reporting and Analytics Practitioner Ethics. Gain comprehensive knowledge and practical skills to assess, manage, and mitigate cyber risks in third-party relationships. Be recognized as a trusted TPCRA-certified professional, equipped to make informed decisions and drive excellence in TPRM. Don't wait – apply now and become a leader in the ever-evolving landscape of third-party cyber risk!
-
How soon do I need to take the exam?Examinations must be completed within 12 months of receiving your examination registration link.
-
How do I schedule an exam date and time through Pearson VUE?After submitting your application through the TPRA site, you will receive an email with a link to schedule your examination. You must create a Pearson VUE web account on the Pearson VUE site. When creating your web account, use the same First and Last names and 20-character candidate (PTI ID) number as noted in your authorization-to-test email. For issues with your Pearson VUE username or password, the quickest way to reach a customer service agent is via LET’s CHAT. If your exam registration First or Last name does not match your photo ID, please email pearson@proftesting.com for assistance. After successfully scheduling, Pearson VUE will send a confirmation email listing your examination date and time, the test center address, along with important policies for your review and information. Confirmation emails are sent for every schedule, reschedule and cancellation of examination appointments. If you do not receive a confirmation email, Sign In with your Pearson VUE web account and verify the status of your examination appointment, as you may not have completed all of the necessary steps.
-
What are your rescheduling and cancellation policies?You may cancel or reschedule online up to 24 hours before your appointment at no cost. Pearson VUE will send you a confirmation email when you schedule, reschedule, or cancel an appointment. If rescheduling, be sure that you complete all of the steps until the “Your appointment is rescheduled!” screen is displayed. If you do not receive a confirmation email, please sign in with your Pearson VUE web account https://www.pearsonvue.com/tpra and recheck the status of your appointment as you may not have completed all of the necessary steps. If you fail to cancel 24 hours prior to your appointment, or if you miss your appointment, arrive late or fail to provide adequate identification, you will forfeit your exam fee and will not be able to schedule a new appointment without paying the TPRA exam retest fee. Please contact TPRA at info@tprassociation.org for next steps.
-
What score is required to pass the TPCRA examination?You must receive an 80% or higher score to pass the TPCRA examination.
-
If I do not pass the exam the first time, can I retake it?Individuals are able to retake the TPCRA examination after waiting a minimum of 60 days following their last exam. Retake fee is $200.
-
What do I receive after success completion of the exam?Upon completing the examination with a score of 80% or higher, you will be notified that you have earned the TPCRA certification, and receive a digital credential badge via Credly and a paper certificate via mail to showcase your accomplishment.
-
How can I prepare for the examination?TPCRA Certification applicants may choose to purchase the book “Cybersecurity & Third Party Risk” by author Gregory C. Rasner to prepare for the examination. This book closely aligns with the TPRCA Certification examination domains. You may also choose to participate in optional TPCRA training. Training provides you with 12 hours of in-depth discussion on the examination domains, hands on experience designing and performing cyber assessments, as well as opportunities to perform mock interviews and run through physical validation scenarios. Also included in the cost of training is a copy of the “Cybersecurity & Third Party Risk” book, training manual, training session recordings, and more. Training is taught by a knowledgeable subject matter expert who has achieved the TPCRA Certification designation.
-
Am I able to take only the TPCRA exam, and not training?Training is not required to take the TPCRA examination.
-
What topics are covered in TPCRA training?Training covers all topics which will be tested in the exam, including: Cybersecurity and Third Party Risk Management Basics Pre-Contract Due Diligence Continuous Monitoring Physical Validation Disengagement Due Diligence Cloud Due Diligence Reporting and Analytics
-
What is included in the cost of TPCRA training?The purchase of TPCRA training includes: 16 hours of specialized training by a subject matter expert A copy of the book "Cybersecurity & Third Party Risk” by Gregory C. Rasner which can be used to prepare for the Examination A TPCRA Student Training Manual which includes all the information covered in Training sessions, workshops, hands-on scenarios, and more Access to pre-recorded TPCRA Training session playback All of these materials are also included in the TPCRA Training & Examination Bundle.
-
Does the program offer private training sessions for organization?TPRA's Certification Program can accommodate private training sessions for organizations looking to get their whole teams certified. Contact Julie Gaiaschi at julie@tprassociation.org for more information.
-
How do I participate in training?Following payment of your certification processing fee and application approval, you will receive communication on how to register for TPCRA Training.
-
Can I share my training materials?All TPCRA training materials are strictly confidential. Sharing the materials with any party other than the individual registered for training in prohibited. Sharing materials without the express permission of the Third Party Risk Association may result in your removal from training registration or discontinuation of the certification designation attained.
-
How do I retain my certification?To retain your certification, TPCRA Certification holders must comply with the following requirements: Pay annual fee - $100 for TPRA Standard Practitioner Members, Vendor Members, & Non-members. $85 for TPRA Premium Practitioner Members. Participation in 20 hours of Continuing Professional Education (CPE) and submit evidence to CPE credits annually. Successfully abide by the Third Party Risk Association's Practitioner Code of Ethics.
-
How do I receive CPEs from attending Third Party Risk Association events?CPE credits are provided to those that attend TPRA member meetings, as well as TPRA conferences.
-
Does Third Party Risk Association accept CPEs from other organizations to meet CPE requirements?Yes. CPEs issued by other organizations are accepted towards your CPE requirements.
bottom of page