Third-Party Dependency Mapping Sheet (Template)

Aligned with NIST CSF (ID.BE-1, ID.BE-2, ID.SC-1 through ID.SC-5) and FCA’s third-party risk management expectations.

Purpose: To identify, categorize, assess, and continuously monitor dependencies on third-party vendors and service providers.

Suggested Format: Excel / Google Sheets

Sheet Structure

#

Third Party Name

Service / Product Provided

Service Criticality

Data Shared (Y/N)

Data Sensitivity

Access to Internal Systems (Y/N)

Contract Owner

Contact Info

Risk Tier (High/Med/Low)

FCA Regulated?

Subcontractors?

Control Assessments (Y/N)

Backup Vendor Exists?

RTO / RPO Agreed

Last Review Date

1

AWS

Cloud Hosting Infrastructure

High

Yes

Confidential

Yes

IT Operations

[email protected]

High

No

No

Yes

No

4h / 1h

01/05/2025

2

Okta

IAM Platform

Critical

Yes

PII

Yes

CISO Office

[email protected]

High

Yes

Unknown

Yes

Yes

2h / 15m

15/04/2025

3

Zendesk

Customer Support Tool

Medium

Yes

Internal Use Only

No

Customer Success

zendesk@...

Medium

No

No

No

Yes

8h / 4h

02/06/2025

Key Field Definitions

  • Service Criticality: Categorized as Critical, High, Medium, Low based on business impact.

  • Risk Tier: Defined based on data sensitivity, system access, service criticality.

  • Control Assessments: If a due diligence or assurance audit (e.g. SOC 2, ISO 27001) has been conducted.

  • RTO / RPO: Recovery Time Objective / Recovery Point Objective as per contract or SLA.

  • Backup Vendor: Alternate supplier identified in case of outage.

Optional Tabs

  • Vendor Risk Heatmap Visualise Risk Tier vs Criticality.

  • Renewal Tracker Contract expiry and renewal timelines.

  • Assessment Checklist Aligns to NIST ID.SC-2 and ID.SC-3 (supply chain controls).

  • Concentration Risk Dashboard Identifies single points of failure across dependencies.

PreviousService Continuity Escalation MatrixNextTesting

Last updated