TPRM — Third-Party Risk Management Tool

Electron-based Third-Party Risk Management (TPRM) tool that automates vendor/supplier security assessments and generates professional DOCX risk reports.

TPRM is a lightweight desktop application designed for cybersecurity, GRC, and information security professionals who need to assess the security posture of third-party vendors quickly and consistently. It streamlines the questionnaire → scoring → reporting workflow that is typically manual, time-consuming, and error-prone.

---

Table of Contents

• Overview
• • Key Features
  • • Use Cases
    • • Tech Stack
      • • Project Structure
        • • Installation
          • • Usage
            • • Framework Alignment
              • • Roadmap
                • • Security & Privacy
                  • Contributing

                  • License

                  • Author

                  ---

Overview

Third-Party Risk Management is a critical component of any modern security program. Regulatory frameworks such as ISO 27001, ISO 27036, NIST SP 800-161, NIS2, and DORA require organizations to assess and monitor the security of their suppliers, service providers, and business partners on a continuous basis.

This tool helps security teams:

• Run structured vendor security questionnaires
• • Calculate risk scores based on weighted responses

  • • Produce consistent, audit-ready DOCX reports

    • • Reduce manual effort in the vendor onboarding and review cycle

      ---

Key Features

• Desktop-first (Electron): Works offline. No vendor data leaves your machine.
• • Structured Questionnaire Engine: Configurable sections and questions mapped to common controls.
  • • Risk Scoring: Automatic computation of overall and per-domain risk levels.
    • • Automated DOCX Reporting: One-click generation of professional Word reports ready for stakeholders.

      • • Vendor-neutral Framework: Adaptable to any industry (finance, healthcare, manufacturing, SaaS).

        • • Portable: Single packaged artifact, no backend dependency.

          ---

Use Cases

• Vendor onboarding security reviews
• • Annual/periodic supplier reassessments
  • • Due diligence during M&A activities

    • • ISO 27001 Annex A.15 / A.5.19–A.5.23 evidence collection

      • • NIS2 and DORA supplier oversight requirements

        ---

Tech Stack

• Electron — Cross-platform desktop runtime
• • HTML / CSS / JavaScript — UI and business logic

  • • Node.js — Report generation pipeline (build_docx_rapor.js)

    • • docx — DOCX file generation library

      ---

Project Structure

tprm/
├── tprm-pro-v3.html            # Main application UI (questionnaire + scoring)
├── build_docx_rapor.js         # DOCX report generation script
├── LICENSE                     # MIT License
├── CHANGELOG.md                # Version history
├── CONTRIBUTING.md             # Contribution guidelines
└── README.md                   # This file

Packaged builds are distributed via the Releases page, not committed to the repository.

---

Installation

Option 1 — Download a packaged build (recommended)

1. Go to the Releases page.
2. 2. Download the latest securefors-tprm-electron archive for your OS.

   3. 3. Extract and run the executable.

      4. Option 2 — Run from source

      5. # Clone the repository
         git clone https://github.com/ersinnerol/tprm.git
         cd tprm
         
         # Install dependencies
         npm install
         
         # Launch the Electron app
         npm start

---

Usage

1. Open the application.
2. 2. Select or create a vendor profile.
   3. 3. Complete the security questionnaire (identity, access management, encryption, incident response, business continuity, etc.).
      4. 4. Review the computed risk score and domain breakdown.

         5. 5. Click Generate Report to export a professional DOCX assessment.

            6. A sample report is available in the Releases assets.

            7. ---

            8. Framework Alignment

Questionnaire items and scoring logic are inspired by widely adopted industry standards:

Framework	Relevant Area
ISO/IEC 27001:2022	Annex A.5.19 – A.5.23 (Supplier relationships)
ISO/IEC 27036	Information security for supplier relationships
NIST SP 800-161r1	Cybersecurity Supply Chain Risk Management
NIST CSF 2.0	GV.SC (Cybersecurity Supply Chain Risk Management)
SIG (Shared Assessments)	Standardized Information Gathering questionnaire
CAIQ (CSA)	Consensus Assessments Initiative Questionnaire
NIS2 / DORA	Supplier and ICT third-party risk oversight

This tool is an aid for professionals and does not replace formal certification or legal advice.

---

Roadmap

• Multi-vendor workspace with SQLite persistence

• - [ ] Import/export of SIG and CAIQ questionnaires

• - [ ] PDF report output in addition to DOCX

• - [ ] Customizable scoring models and weighting

• - [ ] Multi-language UI (EN / TR)

• - [ ] Dashboard with portfolio-level risk view

• ---

• ## Security & Privacy

• - The application runs fully locally. Vendor data is not transmitted to any external service.

• - No telemetry is collected.

• - Users are responsible for classifying and storing generated reports according to their organization's data handling policy.

• If you discover a security vulnerability, please open a private advisory via GitHub Security Advisories instead of a public issue.

• ---

• ## Contributing

• Contributions, ideas, and bug reports are welcome. See CONTRIBUTING.md for guidelines.

• ---

• ## License

• This project is licensed under the MIT License — see the LICENSE file for details.

• ---

• ## Author

• Ersin Erol

• Cybersecurity & GRC Practitioner

• - GitHub: @ersinnerol

• If you find this project useful, consider giving it a star — it helps other professionals discover it.