I am reviewing our Third party inherent risk tiers and I am finding that the Low and Minimal are really too similar and likely looking to combine those into one rating. Moderate, however is too big with too many variations and nuance. I would like to create a two moderates like a mod/high that requires a SOC and InfoSec review but then a Mod/Low that has internal data but does not require a SOC but we are still interested in their InfoSec policies or if they do provide a SOC it can be reviewed by TPRM vs InfoSec.
I would like to see other's Tier metrics or definitions. I have shared mine below as an offering. We also just added an infrastructure designation but it would still fall into one of the below tiers, it just lets us know the due diligence will be more limited.
I am all about peer sharing as I know we are all spread a bit thin and all have deferent levels of creativity.
