New
CIS Third-Party Risk Mgmt - ServiceNow Practice Test 2026
TPRM is still new, which makes good practice material hard to find. This bank covers vendor assessments, engagements, portal workflows, issues, and risk handling. It already gives you 100+ questions and will keep growing as the cert matures.
What's included
- 100+ questions on vendor assessments, engagements, portal work, and risk review
- Each answer includes a doc link you can verify yourself
- Wrong answers get explained too, not just the correct one
- Updated for Zurich and the February 2026 blueprint changes
- Lifetime access with free updates and no 30-day cutoff
- Every course comes from an exam the author passed before publishing
- 30-day money-back guarantee through Udemy
15 Free Preview Questions
Answer 5 questions free. Enter your email to continue through question 15. The full course has 180 questions on Udemy.
- APolicies
- BPolicy Exceptions
- CConfiguration baseline
- DCitations
Show full explanation
Correct Answer
B - Policy Exceptions
Source
ServiceNow Zurich Documentation
Expert Explanation
Installing the GRC: Policy and Compliance Management application extends the Third-party Risk Issue record with a Policy Exceptions related list. This integration allows organizations to track situations where a vendor issue triggers a formal exception to an internal policy. The linkage ensures that risk and compliance teams share visibility into how vendor shortcomings affect policy adherence.
Why the Others Are Wrong
Policies (A) exist in GRC but are not added as a related list to vendor risk issues. Configuration baselines (C) belong to CMDB security hardening, not GRC risk records. Citations (D) relate to audit evidence tracking and do not surface on the Third-party Risk Issue form.
Memory Tip
Think of it this way: a vendor issue can break your policy, so you need a Policy Exception right there on the issue record to document the deviation.
Real-World Example
A cloud hosting vendor fails to encrypt data at rest, violating your organization's data protection policy. The risk analyst opens the Third-party Risk Issue, then creates a Policy Exception directly from the related list to formally document the temporary deviation while the vendor remediates.
- AUpdate and respond to issues and tasks.
- BView other third party's assessment responses.
- CModify issue remediation workflow.
- DView other third party's issues and tasks.
Show full explanation
Correct Answer
A - Update and respond to issues and tasks
Source
ServiceNow Zurich Documentation
Expert Explanation
The Third-party Portal gives vendors direct access to update and respond to issues and tasks that are assigned to them. This is the primary interaction point for external parties. The portal is designed with strict data segregation so vendors can only see and act on their own records.
Why the Others Are Wrong
Viewing other third party's assessment responses (B) is blocked by data isolation controls. Modifying the issue remediation workflow (C) is an administrative function reserved for internal GRC teams. Viewing other third party's issues and tasks (D) would violate multi-tenant data separation principles.
Memory Tip
Vendors can only touch what is theirs: their own issues, their own tasks, their own responses. Think "my stuff only" from the vendor's perspective.
Real-World Example
Your organization sends a data security questionnaire to a software vendor. The vendor logs into the Third-party Portal, answers each question, uploads supporting documentation, and responds to any flagged issues. They never see what other vendors submitted.
- AQuestionnaire templates
- BCategory metrics
- CThird-party questions
- DAssessment metrics
Show full explanation
Correct Answer
D - Assessment metrics
Source
ServiceNow Zurich Documentation
Expert Explanation
To link a Third-party assessment question to a Control Objective, you use the Assessment Metrics related list on the Control Objective record. Each assessment metric maps a specific question to the control it evaluates, enabling the platform to calculate compliance scores based on vendor responses. This mapping is essential for understanding which controls are tested by which questions.
Why the Others Are Wrong
Questionnaire templates (A) define overall assessment structure, not per-question control mappings. Category metrics (B) organize metrics by category for scoring but are not the mechanism for linking questions to control objectives. Third-party questions (C) is not the specific related list used on the Control Objective form for this purpose.
Memory Tip
Assessment Metrics live on the Control Objective and act as the bridge between "what question did we ask-" and "what control does it test-"
Real-World Example
Your compliance team creates a Control Objective for "Data Encryption at Rest." They open that record and use the Assessment Metrics related list to link it to three vendor questionnaire questions about encryption key management, algorithm strength, and data storage practices.
- AFlag questions for follow up.
- BReview comments and evaluates the risk.
- CCreate issues within the assessment.
- DPerform a tiering assessment.
Show full explanation
Correct Answer
B - Review comments and evaluates the risk
Source
ServiceNow Zurich Documentation
Expert Explanation
The final step before closing a Third-party Risk Assessment is for the Risk Assessor to review all comments and evaluate the overall risk. This ensures that every piece of evidence, vendor response, and flagged concern has been considered before the assessment moves to a closed state. It is the last quality check in the assessment lifecycle.
Why the Others Are Wrong
Flagging questions for follow up (A) is an intermediate activity during review, not the closing step. Creating issues (C) happens when deficiencies are found and feeds into remediation tracking. Performing a tiering assessment (D) occurs at the start of the vendor relationship to determine risk classification.
Memory Tip
Before you close the book, you read the final chapter. The Risk Assessor reviews everything and makes the risk call as the last act before closing.
Real-World Example
After a vendor completes their SOC 2 questionnaire, the Risk Assessor opens the assessment, reviews all vendor comments and uploaded evidence, evaluates whether the residual risk is acceptable, and then closes the assessment with a final risk rating.
- AA process to evaluate a third party's risk based on their responses to a questionnaire.
- BA process to evaluate a third party's risk based on their performance.
- CA process to evaluate a third party's risk based on the criticality of the services they provide.
- DA process to evaluate a third party's risk based on their financial stability.
Show full explanation
Correct Answer
C - A process to evaluate a third party's risk based on the criticality of the services they provide
Source
ServiceNow Zurich Documentation
Expert Explanation
Third-party Tiering is the process of classifying vendors based on how critical their services are to the organization. A vendor providing mission-critical infrastructure gets a higher tier than one providing office supplies. The tier level then drives the rigor, scope, and frequency of risk assessments applied to that vendor.
Why the Others Are Wrong
Questionnaire-based evaluation (A) describes the risk assessment process that follows tiering. Performance-based evaluation (B) relates to vendor performance management, a separate capability. Financial stability evaluation (D) may be a component of due diligence but does not define tiering.
Memory Tip
Tiering = how critical is this vendor to our business- A payroll processor is tier 1, an office snack vendor is tier 3. Criticality drives the tier.
Real-World Example
A hospital classifies its electronic health records vendor as Tier 1 because a failure would halt patient care. Their landscaping company gets Tier 3. The EHR vendor faces annual comprehensive assessments while the landscaper gets a lightweight review every two years.
- AUpload a replacement image via Third-party Risk Management > Administration > Portal Settings.
- BClone the SVDP Greeting widget and modify the Body HTML Template field of the cloned widget.
- CUpload the replacement image in the Service Portal Branding Editor under the background image settings.
- DModify the sys_portal_page record for the vendor portal welcome page to reference the new image URL.
Show full explanation
Correct Answer
B - Clone the SVDP Greeting widget and modify the Body HTML Template field of the cloned widget
Source
ServiceNow Zurich Documentation
Expert Explanation
Customizing the greeting image on the Third-party Risk Portal requires cloning the SVDP Greeting widget and editing the Body HTML Template field in the cloned version. Cloning protects the original widget from being overwritten during platform upgrades. The Body HTML Template field contains the markup that references the greeting image.
Why the Others Are Wrong
There is no Portal Settings path (A) for this purpose in the TPRM administration module. The Service Portal Branding Editor (C) handles general branding, not the specific greeting widget. Editing sys_portal_page records (D) is not the correct mechanism since the image is rendered by the widget, not the page record.
Memory Tip
Clone before you customize. The SVDP Greeting widget owns the welcome image, and you never touch the original, only a clone.
Real-World Example
An administrator wants to replace the generic greeting image with the company logo and a welcome message. They navigate to the Service Portal widgets, clone the SVDP Greeting widget, update the Body HTML Template with the new image URL and custom HTML, then map the cloned widget to the portal page.
- AThe control status changes to Accepted and is excluded from future risk calculations until the exception expires.
- BThe control status remains non-compliant until the control is re-assessed after the exception is closed.
- CThe control status automatically changes to Compliant when the exception is approved by the Compliance Manager.
- DThe control status is set to Waived and the associated assessment score is recalculated excluding that control.
Show full explanation
Correct Answer
B - The control status remains non-compliant until the control is re-assessed after the exception is closed
Source
ServiceNow Zurich Documentation
Expert Explanation
When a vendor risk issue owner accepts an issue during the Respond state, it signals acknowledgment of a known control failure without immediate remediation. The control remains non-compliant because the underlying deficiency still exists. Only after the exception period ends and the control is re-assessed with a passing result will the compliance status change.
Why the Others Are Wrong
An "Accepted" control status (A) does not exist in the TPRM data model. Automatic compliance restoration upon exception approval (C) would undermine the purpose of tracking deficiencies. A "Waived" status with score recalculation (D) is not part of the standard issue acceptance workflow.
Memory Tip
Accepting an issue is like accepting you have a broken window. You know about it, you documented it, but the window is still broken until someone fixes it and you verify the repair.
Real-World Example
A vendor's firewall configuration fails a security control during assessment. The issue owner accepts the risk with a 90-day exception while the vendor works on remediation. Throughout those 90 days, the control shows as non-compliant. After the vendor fixes the configuration and a re-assessment confirms compliance, the status updates.
- AThe Third-party Portal consolidates all communications and artifacts to a single system of truth.
- BThird-party Portal allows the Third-party Risk Assessor team to reassign parts of an Inherent Risk Assessment.
- CThe Third-party Portal matches a database of documents to document requests.
- DThe Third-party Portal reduces risk for an organization by enabling secure communications with the third-party.
- EThe Third-party Portal can be leveraged by the third party to work with other partners.
Show full explanation
Correct Answer
A and D - Consolidates communications/artifacts to a single system of truth, and enables secure communications with the third party
Source
ServiceNow Zurich Documentation
Expert Explanation
The Third-party Portal provides two key benefits: it creates a single system of truth for all vendor communications and artifacts, and it enables secure communications between the organization and its third parties. Centralizing everything in one platform eliminates version confusion and email-based risks while ensuring all exchanges are protected by enterprise-grade security.
Why the Others Are Wrong
Reassigning parts of an Inherent Risk Assessment (B) is an internal workflow function, not a portal benefit. Automatic document matching (C) is not a feature of the portal. Vendor-to-partner collaboration (E) is outside the portal's designed scope, which focuses on the org-to-vendor relationship.
Memory Tip
The portal does two things well: one place for everything (single source of truth) and safe communication (secure channel). Think "centralize and secure."
Real-World Example
Before implementing the portal, your team exchanged vendor questionnaires via email, losing track of versions and exposing sensitive data. After deployment, all questionnaires, evidence uploads, and issue discussions happen inside the portal with full audit trails and encryption.
- AA third party must have one designated internal third-party manager.
- BA third party can designate more than one contact as the primary, but must have a minimum of one primary contact.
- CA third party can only designate one contact as the primary contact, but may have multiple non-primary contacts.
- DA third party can only designate one contact as the primary and must have a minimum of one non-primary contact.
Show full explanation
Correct Answer
B - A third party can designate more than one contact as the primary, but must have a minimum of one primary contact
Source
ServiceNow Zurich Documentation
Expert Explanation
ServiceNow TPRM allows multiple contacts to be designated as primary for a third party, with the requirement that at least one primary contact must exist. This flexibility supports scenarios where a vendor has multiple departments or regional offices that each need a primary point of contact for risk management communications.
Why the Others Are Wrong
One designated internal manager (A) describes an internal role, not the vendor contact designation. Only one primary contact allowed (C) is too restrictive since the platform supports multiple primary contacts. Requiring a minimum of one non-primary contact (D) adds a constraint that does not exist in the platform.
Memory Tip
At least one primary is mandatory, but you can have as many primaries as you need. Think of a vendor with offices in New York and London, each needing their own primary contact.
Real-World Example
A global IT services vendor has separate teams handling security compliance in North America and Europe. Your organization designates both the NA security lead and the EU compliance officer as primary contacts so each receives assessment notifications for their region.
- APercentage
- BImage Scale
- CChoice
- DMultiple Selection
- EYes/No
Show full explanation
Correct Answer
A and B - Percentage and Image Scale
Source
ServiceNow Zurich Documentation
Expert Explanation
The Smart Assessment Engine (SAE) does not support Percentage and Image Scale metric data types. When migrating from legacy assessment frameworks to SAE, these two types must be converted to compatible formats such as Choice or Numeric. SAE supports Choice, Multiple Selection, Yes/No, and other standard types natively.
Why the Others Are Wrong
Choice (C) is fully supported in SAE for single-selection questions. Multiple Selection (D) works in SAE for questions requiring more than one answer. Yes/No (E) is a basic binary type that SAE handles without issues.
Memory Tip
SAE does not like pictures or percentages. If you cannot pick it from a list or answer yes/no, SAE probably does not support it. Remember "no pictures, no percentages."
Real-World Example
During migration to SAE, your team discovers that 12 legacy vendor assessment questions use Image Scale (drag a slider on a visual scale) and 8 use Percentage (enter a value like 95%). All 20 must be redesigned as Choice or Multiple Selection questions before SAE can process them.
- AAnalyze
- BFinalize with Third-party
- CNew
- DSubmitted to Third-party
Show full explanation
Correct Answer
B and D - Finalize with Third-party and Submitted to Third-party
Source
ServiceNow Zurich Documentation
Expert Explanation
When a Third-party Risk Issue is flagged for internal use only, the states that involve external vendor interaction can be skipped. "Submitted to Third-party" and "Finalize with Third-party" both exist to facilitate communication with the vendor. Since an internal-only issue does not require vendor involvement, these two states are bypassed in the workflow.
Why the Others Are Wrong
Analyze (A) is an internal evaluation step that applies to all issues regardless of whether a vendor is involved. New (C) is the mandatory initial state for every issue and cannot be bypassed.
Memory Tip
If the issue name contains "Third-party" in the state name, and the issue is internal only, that state gets skipped. No third party involved means no third-party states needed.
Real-World Example
An internal audit discovers a gap in your vendor risk assessment process itself, not caused by any specific vendor. The issue is created as internal-only. It goes from New to Analyze to Respond to Closed, skipping both "Submitted to Third-party" and "Finalize with Third-party" since no vendor action is needed.
- ABy assigning the TPR Assessor role to the DDR instead of the Contract Negotiator role.
- BBy enabling the system property sn_vdr_risk_asmt.skip_contract_risk on the Properties page.
- CBy checking the Skip Contract Risk Process checkbox on the DDR form.
- DBy setting the DDR Priority to 5-Planning, which triggers an automatic bypass of the contract stage.
Show full explanation
Correct Answer
C - By checking the Skip Contract Risk Process checkbox on the DDR form
Source
ServiceNow Zurich Documentation
Expert Explanation
The Due Diligence Request (DDR) form includes a Skip Contract Risk Process checkbox that, when selected, bypasses the Contract Risk state entirely. This is useful when a vendor engagement does not involve contract negotiations or when the contract review has been handled outside the platform. It is a simple, intentional administrative control built into the DDR form.
Why the Others Are Wrong
Role assignment (A) does not control state transitions in the DDR workflow. The system property referenced in option B does not exist. Priority settings (D) affect task scheduling and urgency, not the inclusion or exclusion of workflow states.
Memory Tip
Skip Contract Risk- Just check the box. It is literally a checkbox on the DDR form called "Skip Contract Risk Process."
Real-World Example
Your organization renews a contract with an existing long-term vendor where the legal team already reviewed the contract outside of ServiceNow. The DDR creator checks "Skip Contract Risk Process" on the form so the DDR moves directly past the Contract Risk state to the next assessment phase.
- Acompliance_reader
- Brisk_reader
- Csn_risk.manager
- Dtask_editor
- Esn_compliance.admin
Show full explanation
Correct Answer
A and B - compliance_reader and risk_reader
Source
ServiceNow Zurich Documentation
Expert Explanation
The Third-Party Assessment Reviewer role contains two GRC reader roles: compliance_reader and risk_reader. These roles follow the principle of least privilege by granting read-only access to compliance and risk data. Reviewers need to see compliance and risk context to properly evaluate vendor assessments, but they do not need to modify that data.
Why the Others Are Wrong
sn_risk.manager (C) provides write-level risk management access, which exceeds what reviewers need. task_editor (D) grants general task modification privileges unrelated to assessment review. sn_compliance.admin (E) provides full compliance administration access, far beyond the read-only needs of a reviewer.
Memory Tip
Reviewers read, they do not write. So they get reader roles: compliance_reader and risk_reader. If the role name says "manager" or "admin," it is too much for a reviewer.
Real-World Example
A senior risk analyst is assigned the Third-Party Assessment Reviewer role to evaluate a vendor's security assessment. With compliance_reader, she can see which policies apply. With risk_reader, she can view the risk register entries. She cannot modify any compliance or risk records, only review them.
- ACloud Security Alliance (CSA)
- BSIG Lite
- CISO 27001
- DNIST 800-53
- EVSA
Show full explanation
Correct Answer
A, B, and E - Cloud Security Alliance (CSA), SIG Lite, and VSA
Source
ServiceNow Zurich Documentation
Expert Explanation
ServiceNow TPRM ships with three out-of-the-box assessment types: Cloud Security Alliance (CSA), SIG Lite, and VSA (Vendor Security Alliance). These provide ready-to-use questionnaire frameworks that organizations can deploy immediately for vendor risk evaluations without building custom assessments from scratch.
Why the Others Are Wrong
ISO 27001 (C) is a well-known standard but must be configured as a custom assessment in TPRM. NIST 800-53 (D) is a comprehensive controls catalog but is not included as a pre-built assessment type. Both can be implemented through custom configuration.
Memory Tip
The three out-of-box types spell out CSV if you take their first letters: CSA, SIG Lite, VSA. Think "CSV file" for the three built-in vendor assessments.
Real-World Example
A new TPRM administrator needs to launch vendor assessments quickly. She selects the SIG Lite assessment type for initial screenings of low-risk vendors, the CSA questionnaire for cloud service providers, and the VSA for software vendors, all without any custom development.
- AAn implication that the known control failure is unimportant.
- BAn intention to create an exception for a known control failure or risk.
- CAttempted remediation failed.
- DSpecial third parties get an exception.
Show full explanation
Correct Answer
B - An intention to create an exception for a known control failure or risk
Source
ServiceNow Zurich Documentation
Expert Explanation
Accepting an issue in TPRM signifies a formal intention to create an exception for a known control failure or risk. It is a conscious risk management decision where the organization documents that it understands the deficiency and chooses to tolerate the risk under defined conditions. This is distinct from ignoring the problem or failing to remediate it.
Why the Others Are Wrong
Calling the failure unimportant (A) mischaracterizes acceptance. The risk is acknowledged as real, just tolerated. Failed remediation (C) is a different scenario that typically triggers escalation, not acceptance. Special vendor treatment (D) implies favoritism, but acceptance is a risk-based decision applied consistently regardless of vendor identity.
Memory Tip
Accept = Exception. When you accept an issue, you are saying "I know this is broken, I accept the risk, and I want a formal exception to document that decision."
Real-World Example
A payment processing vendor cannot implement multi-factor authentication on a legacy system within the required timeframe. The risk committee reviews the situation and accepts the issue, creating a formal exception valid for six months while the vendor migrates to a newer platform. The exception is documented with compensating controls in place.
Free exam updates. No spam. Unsubscribe anytime.
You scored 0/15 on the 15-question preview.
The full course keeps the same answer breakdown style across all 180 questions.
Your first exam attempt is free. Your second costs $350.
Many students also study:
Compare all 18 practice tests, or use the cert quiz to plan what to study next.
Looking for a different certification-
Browse all 18 practice tests →