More than half of all breaches go through your supplier's door; Control discipline closes this door.
Supplier Audit Training; üçüncü taraf risk ynetimi (TPRM) çerçevesinde tedarikçi seçimi, soru listesi tasarımı, yerinde denetim yntemi, bulgu sınıflandırma ve sürekli izleme süreçlerini ele alır. ISO 27001 Annex A 5.19-5.23, KVKK veri işleyen, BDDK ve EBA dış kaynak ynetimi gereklilikleri bütünleşik olarak işlenir. Eğitim, klasik soru listesi yaklaşımının tesine geçerek modern bir denetim metodolojisi sunar.
Supplier auditing is not about sending out a list of questions; is to establish a control ecosystem.
In many institutions, supplier auditing is carried out by the supplier filling out and returning an Excel questionnaire sent annually, with an average of 200 items. This approach can meet the documentation obligation; but it cannot measure actual risk. Whether the answers are correct or not cannot be known unless one walks through the supplier's door.
Modern tedarikçi denetimi; risk bazlı yaklaşımla başlar, soru listesini kuruma zel uyarlar, critical supplierlerde yerinde denetim yapar, kanıt toplar, bulguyu sınıflandırır, kapanış izlemesi yürütür ve tedarikçinin durumunu yıl boyu sürekli izler. Bu eğitim; ISO 27001 Annex A 5.19-5.23, KVKK veri işleyen yükümlülükleri, BDDK ve EBA dış kaynak ynetimi düzenlemeleri ile sahada gerçekten işleyen denetim metodolojisini bir araya getirir.
This training adds a modern TPRM methodology on top of the classic question list audit.
Pek çok tedarikçi denetim eğitimi 2010’ların yaklaşımı üzerine kuruludur: bir tedarikçi soru listesi gnderilir, geri dnen formlar arşivlenir. Bu yaklaşım dokümante eder ama korumaz. Modern TPRM ise bütüncül bir kontrol ekosistemi kurar.
Klasik Supplier Denetim Yaklaşımı Question list-oriented, documentation-oriented
- The same Excel form with 200 items is sent to each supplier.
- One-time annual review
- Supplier response is accepted, no evidence is required
- Critical and low-risk suppliers receive the same treatment
- On-site inspections are not carried out or are carried out infrequently
- Findings tracking not tracked
- 4th party risk is ignored
- Result: documented risk, unprotected institution
Modern TPRM Methodology Risk-based, evidence-driven, continuous monitoring
- Different question sets based on supplier classification
- Continuous monitoring throughout the lifecycle
- On-site audit and evidence collection at critical supplier
- Standard references such as SIG, CAIQ, ISO 27001, SOC 2
- Contractual audit right and time obligations
- Finding closure follow-up and escalation
- 4th party visibility and SBOM discipline
- Result: measurable control, auditable process
Participants learn to evaluate supplier auditing together on the axis of risk management, legislation and evidence discipline.
The training does not teach a single auditing tool or platform. It conveys the risk-based audit methodology and which approach will be correct in which institution with real cases.
Classifies suppliers according to criticality.
Classify suppliers based on data sensitivity, system access, financial dependency and operational criticality factors; Applying different depth of control to each class.
- Criticality criteria matrix
- Link with data classification
- Audit depth by class
Creates a list of questions tailored to the supplier.
Audit form design consisting of supplier-specific, real information and unskippable questions, using SIG, CAIQ, ISO 27001 Annex A, KVKK and sectoral references.
- Using SIG and CAIQ
- Standard reference mapping
- Sectoral adaptation
How to inspect in the field, what to look for.
We work with the discipline of on-site audit preparation, opening meeting, evidence collection, interview technique, system review, closing meeting and audit report writing.
- Opening and closing discipline
- Evidence collection protocol
- Interview and observation techniques
It secures the right to audit by contract.
Information security clauses that need to be added to the contract, right to audit, KVKK data processor contract, violation notification periods and contract termination obligations are discussed in detail.
- Information security clauses
- KVKK data processor agreement
- Breach notification provisions
Turns annual auditing into continuous monitoring.
Continuous monitoring components such as automatic threat intelligence, external security scoring services, breach news tracking, financial health monitoring and contract cycle are installed.
- External scoring services
- Breach intelligence tracking
- Automatic trigger rules
It turns the finding into action, not a report.
Bulgu sınıflandırma kriterleri, remediation plan talebi, sürelere bağlı eskalasyon, szleşme yenileme kararına etkisi ve ynetim raporlamasında nasıl kullanılacağı işlenir.
- Finding prioritization criteria
- Closing tracking cycle
- Management reporting format
İki günlük yoğun program; inventoryden sürekli izlemeye kadar tüm TPRM yaşam dngüsünü kapsar.
Program; It can be adapted as a 1-day summary, 2-day implementer or 5-day auditor competency depending on the institution's supplier maturity and participant profile. The entire flow is supported by practical workshops.
Legislation, methodology and continuous monitoring come together in one program.
Training makes learning permanent through real supplier cases and audit reports.
Participants don't just listen; They classify suppliers, adapt a list of questions, play interviews, collect evidence, write a findings report and create a road map for their own organizations.
Adaptive training for all critical decision-making roles at any stage of the supplier lifecycle.
At the end of the training, the supplier audit maturity of the institution becomes measurable and sustainable.
Participant gains
- Tedarikçi inventoryni doğru kriterlerle sınıflandırabilme
- Ability to use SIG, CAIQ and special question lists effectively
- Ability to perform on-site inspections and collect evidence
- Getting real information through interview technique
- Ability to classify findings and report
- Ability to add information security clauses to contracts
- Ability to establish a continuous monitoring process
Institutional outputs
- Supplier classification matrix template
- Class-specific question list sets
- On-site inspection checklist
- Contract information security clauses library
- KVKK data processor agreement template
- Finding classification and reporting format
- Top management TPRM dashboard KPI list
- 90-day TPRM road map specific to the institution
Everything you want to know about education at a glance.
Duration, format, number of participants, certificate, content scope and delivered materials have been clarified. In institution-specific programs, parameters are adapted according to need.
| Training Name | Supplier Audit Training (TPRM — Third Party Risk Management) |
|---|---|
| Süre | 2 days (14 hours). It can be adapted as a 1-day summary or 5-day auditor competency program depending on the maturity of the institution. |
| Training Format | Face to Face (Institution Location) Online Live (Zoom / Teams) Hibrit |
| Training Topics | TPRM fundamentals · Supplier life cycle · ISO 27001 Annex A 5.19-5.23 · KVKK data processor obligations · BRSA and EBA outsourcing management · Supplier classification matrix · SIG and CAIQ usage · On-site audit methodology · Interview technique and evidence collection · Contract information security clauses · Finding classification · Continuous monitoring · Upper management reporting. |
| Target Audience | Information security and TPRM officers, internal audit experts, risk managers, purchasing and contract management, legal and KVKK officers, compliance unit, IT and system managers, quality and process management. |
| Prerequisite | Basic knowledge of ISO 27001 and KVKK is recommended; but it is not mandatory. The content is highly adaptable for participants with internal audit experience. |
| Number of Participants | Optimum verim için 8 – 20 kişi. Kuruma zel programlarda en fazla 25 kişiye kadar grup açılabilir. |
| Sertifika | Certificate of Participation When the training is completed, a signed digital participation certificate is issued by Secure Fors. Contains verifiable QR code. |
| Educational Material | Presentation file (PDF) · Workshop workbook · Supplier classification matrix template · Class-specific question list sets · On-site audit checklist · Contract information security clauses library · KVKK data processor contract template · Finding classification and reporting format · Top management TPRM dashboard KPI list · 90-day TPRM roadmap template. |
| Uygulama | Supplier classification workshop includes class-specific question list design, on-site audit interview simulation, document and system evidence review, findings classification and escalation discussion, 90-day road map design workshops. |
| Eğitmen | ISO 27001 Lead Auditor, CEH ve TPRM alanında deneyimli kıdemli danışman. Türkiye’nin nde gelen havayolu, banka ve teknoloji şirketlerinde tedarikçi denetimleri yürütmüş; sahada uygulanabilir metodoloji odaklı. |
| Pricing | Special offer for the institution. The price is determined according to the number of participants, format (face-to-face / online), program duration and customization need. |
Answers to questions you may have before the training.
Yes. The training explains basic audit techniques in plain language for participants who do not have internal audit experience. Competencies such as question list design, interview technique and evidence collection are taught from scratch. If there are experienced participants, the content is adapted to a higher level.
Evet. KVKK veri işleyen yükümlülükleri, BDDK ve EBA düzenlemeleri, sektrel uyum şartları ve müşteri szleşmelerindeki yükümlülükler ISO 27001’den bağımsız olarak tedarikçi denetimini gerektirir. Eğitim, ISO 27001 olmadan da TPRM kurmayı ğretir.
These standard questionnaires are useful to get started, but need to be tailored to the organization's industry, supplier profile and risk appetite. The training teaches this adaptation methodology; It is supplied with sample sets tailored specifically to the institution.
No. Risk bazlı yaklaşımda yalnızca yüksek kritiklik sınıfındaki tedarikçilerde yerinde denetim yapılır. Orta sınıf için video konferanslı denetim, düşük sınıf için soru listesi yeterli olabilir. Eğitim, hangi sınıfta hangi yntemin uygun olduğunu somut kriterlerle gsterir.
The SOC 2 report is a powerful reference, but it is not enough on its own. The scope of the report, its validity date, audit type (Type 1 / Type 2) and whether it covers controls related to you should be evaluated separately. The tutorial teaches you how to read third-party reports.
No, bunlar dış grünür security durumunu lçer; iç kontrol kalitesini lçmez. Continuous monitoring servisleri yıllık denetim yerine değil, yıllık denetimi tamamlayıcı bir araç olarak kullanılır. Eğitim, bu servislerin doğru entegrasyonunu ğretir.
Transform supplier auditing from sending a list of questions into a measurable control discipline.
Make your audit maturity sustainable with TPRM training tailored to your organization's sector, supplier profile and risk appetite.
Reference frames: ISO/IEC 27001:2022 Annex A 5.19-5.23 Tedarikçi İlişkileri Controlleri · ISO/IEC 27036 Tedarikçi İlişkileri için Bilgi Güvenliği · NIST SP 800-161 Tedarik Zinciri Risk Ynetimi · 6698 Sayılı KVKK ve Veri İşleyen Yükümlülükleri · BDDK Bilgi Sistemleri ve Elektronik Bankacılık Ynetmeliği · EBA Outsourcing Arrangements Rehberi · Shared Assessments SIG · Cloud Security Alliance CAIQ.