Third Party Risk Manager

Mission Overview:

Keystone Solutions is seeking an experienced Third-Party Risk Manager (TPRM) to join our consultancy team. In this role, you will be deployed as a Keystone Solutions consultant to our client to set up, manage, oversee, and mitigate information security risks associated with third-party vendors, suppliers, service providers, and contractors, in alignment with the NIS2 Directive. You will ensure that external partners meet the client's security standards and policies, comply with NIS2 obligations, and do not introduce unacceptable risks to business operations. As a Keystone Solutions consultant, you will build and maintain strong relationships with third parties, facilitate risk assessments, and collaborate with internal stakeholders to enhance business resilience against information security threats. We are only looking for candidates who have actually performed in this role as described here.

Key Responsibilities:

As a Keystone Solutions consultant working closely with the client under our consultancy model, you will perform the following responsibilities:

• Third party supplier security governance: Define and build the necessary governance and processes for managing third party supplier information security risks. Evaluate and classify third parties based on criticality and risk to essential or services. Assist the CISO and Procurement in the development and maintenance of security policies and procedures for supplier security.

• NIS2 Compliance: Ensure all third-party relationships adhere to the cybersecurity requirements set out in the NIS2 Directive, including risk management, incident reporting, and supply chain security.

• Third-Party Risk Assessment & Management:
  • Conduct thorough security due diligence and risk assessments of existing and prospective third-party vendors, focusing on their ability to meet NIS2 standards.
  • Maintain an up-to-date risk register and treatment plans of third parties and their risk status as required by NIS2.
  • Establish risk scoring methodologies and criteria for vendor categorisation.
  • Establish and monitor security performance metrics for key vendors.
  • Manage the complete third-party risk lifecycle from onboarding to contract termination.

• Contract and Procurement support:
  • Collaborate with Procurement and CISO to ensure contracts with third parties include robust cybersecurity clauses, clear incident notification requirements, and audit rights as mandated by NIS2.
  • Review and approve cybersecurity clauses in third-party agreements
  • Ensure data protection and privacy requirements are incorporated into vendor contracts
  • Support contract negotiations on security terms and risk allocation
  • Manage security-related service level agreements and penalties

• Supply Chain Security: Develop and maintain processes to identify, monitor, and mitigate risks in the supply chain cyber resilience, ensuring that vendors implement appropriate technical and organisational measures. This includes continuous monitoring of vendor dependencies.

• Monitoring & Reporting: Oversee the continuous monitoring of third-party compliance, including KPIs, SLAs, regular reviews, audits, and follow-up on remediation actions:
  • Develop and maintain third-party risk dashboards and reporting mechanisms
  • Prepare regular reports for Management, Risk Office and Procurement on third-party risk posture, compliance status, and remediation progress, highlighting any NIS2-related issues.
  • Track and report on risk mitigation activities and effectiveness

• Incident Management and Notification: Coordinate with third parties to ensure timely reporting and effective management of security incidents or breach notifications, in line with NIS2 incident notification timelines.

• Stakeholder Engagement: Liaise with internal teams (ICT, Risk Procurement) and external partners to promote a shared understanding of NIS2 requirements and best practices in third-party risk management. Facilitate regular security review meetings with critical suppliers.

• Awareness & Training: Oversee the development and delivery of training and awareness programs for third parties on NIS2 obligations and supply chain security, as well as awareness around the client's relevant information security policies.

Qualifications and Experience:

• Bachelors or Masters degree in Information Security, Risk Management, Law, or a related field.
• At least 4 years of experience in third-party risk management, cybersecurity, or compliance, preferably in a regulated or governmental environment.
• Familiarity with the NIS2 Directive and its requirements for essential entities.
• Familiarity with ISO/IEC 27001 standard clauses regarding supplier relationship security is strongly desired.
• Experience with supply chain security in general, vendor assessments, and contract negotiations.
• Good knowledge of other information security standards is also an advantage (e.g., NIST, CIS Controls, CCB CyberFundamentals).
• Relevant certifications (e.g., CISM, CISSP, CRISC, ISO 27001 Lead Implementer) or Third-Party Risk Management certifications are advantageous.
• Experience with public tenders is a strong advantage.
• Familiarity with critical infrastructure protection is nice to have, or the EU Cyber Resilience Act.
• Experience with GRC platforms is an asset, in particular ServiceNow.
• Excellent communication, negotiation, and stakeholder management skills.

Key Competencies:

• Deep understanding of regulatory compliance, especially NIS2.
• Strong analytical and risk assessment skills.
• Experience with conducting and maintaining supplier risk assessments
• Translate information security requirements into contractual clauses
• Ability to influence and collaborate with internal and external stakeholders.
• Proactive, detail-oriented, and committed to continuous improvement.

Role Profile and Additional Requirements:

• Skills:
• • Cyber Security
  • Information Security Management
  • ISO27001
  • Public Procurement Expertise
  • Public Sector Experience
  • Risk Management
  • 
    
  • Languages:
• • Dutch or French: Active knowledge
  • English: Nice to have

Consultancy Nature of Work:

This is a consultancy mission delivered by Keystone Solutions. You will operate as a Keystone Solutions consultant, embedded with the clients stakeholders (CISO, Procurement, Risk Office, ICT, and business owners), performing the responsibilities above on site and/or in hybrid mode, aligning with the clients policies while leveraging Keystone Solutions methodologies and peer support.

Dynamic Projects:

As a Keystone Solutions consultant, you will have the opportunity to tackle diverse third-party and supply chain security challenges across multiple client environments, from essential entities to public sector organizations, each at different stages of NIS2 readiness and GRC maturity.

Turbo-Charged Learning and Development:

Keystone Solutions accelerates your growth through expert communities, mentoring by senior consultants, and support for professional certifications (such as CISM, CISSP, CRISC, ISO 27001 Lead Implementer, and TPRM credentials). You will gain hands-on exposure to frameworks like ISO/IEC 27001, NIST, CIS Controls, and platforms including ServiceNow.

Ambition Skyrocketing within a Consultancy Framework:

We provide a clear path to advance your consulting career—leading client engagements, shaping supplier security governance, and driving NIS2 compliance roadmaps—while broadening your impact across sectors and complex supply chains.

Keystone Solutions Values in a Consultancy Context:

Being a K-Stone means living our values—integrity, excellence, curiosity, client partnership, and accountability—on every mission. You will bring these values into each client interaction, ensuring pragmatic, high-quality, and outcome-focused delivery.

Role-Specific Consultancy Impact: