100+ Free ServiceNow CIS-TPRM Practice Questions

Pass your ServiceNow Certified Implementation Specialist - Third-Party Risk Management exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

A bank wants to manage risk across all third parties, including non-vendors such as agents, brokers, and joint-venture partners. Which ServiceNow application is purpose-built for this broader scope?

Vendor Risk Management (VRM)

Third-Party Risk Management (TPRM)

Configuration Compliance

Service Catalog

to track

2026 Statistics

Key Facts: ServiceNow CIS-TPRM Exam

Exam Questions

ServiceNow blueprint

90 min

Exam Duration

ServiceNow blueprint

$300

Current Exam Fee

ServiceNow mainline pricing

Risk Domains

TPRM data model

Lifecycle Stages

Onboarding / Active / Offboarding

SIG

Standard Questionnaire

Shared Assessments

ServiceNow Third-Party Risk Management (TPRM) extends the original Vendor Risk Management capability to cover any third-party relationship, including agents, brokers, intermediaries, joint-venture partners, and intra-group entities, not just contracted suppliers. The CIS-TPRM mainline exam uses 60 questions in 90 minutes for $300 USD, with ServiceNow comparing your result against an undisclosed cut score. Implementation work focuses on the third-party lifecycle (Onboarding, Active Management, Offboarding/Retirement), tier-driven assessments using SIG, continuous monitoring through BitSight/SecurityScorecard/RiskRecon, sub-tier visibility, contract and SLA integration, concentration and geographic risk reporting, and alignment with FFIEC, OCC Bulletin 2013-29, the 2023 U.S. Interagency Guidance, and the EBA Guidelines on Outsourcing Arrangements.

Sample ServiceNow CIS-TPRM Practice Questions

Try these sample questions to test your ServiceNow CIS-TPRM exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A bank wants to manage risk across all third parties, including non-vendors such as agents, brokers, and joint-venture partners. Which ServiceNow application is purpose-built for this broader scope?

A.Vendor Risk Management (VRM)

B.Third-Party Risk Management (TPRM)

C.Configuration Compliance

D.Service Catalog

Explanation: Third-Party Risk Management extends the original Vendor Risk Management capability to cover any third-party relationship, including agents, brokers, distributors, joint-venture partners, and intra-group entities. VRM was originally focused on contracted suppliers; TPRM uses a broader Third-party record that does not require a procurement engagement.

2Which sequence correctly represents the ServiceNow Third-Party Lifecycle?

A.Tiering, Assessment, Contract, Renewal

B.Onboarding, Active Management, Offboarding/Retirement

C.Discovery, Triage, Containment, Recovery

D.Identify, Protect, Detect, Respond, Recover

Explanation: ServiceNow documents the third-party lifecycle as Onboarding (intake, due diligence, profiling, tiering), Active Management (continuous monitoring, periodic and event-driven assessments, issue tracking), and Offboarding/Retirement (data return, access revocation, contract termination). Tiering and assessments are activities that happen inside this lifecycle.

3An implementer is asked to capture a single legal entity that may participate in many engagements over time. Which TPRM record should they use?

A.Engagement

B.Third-party (Vendor) record

C.Assessment instance

D.Issue

Explanation: The Third-party record (also called the Vendor record in legacy VRM) represents the legal entity. Engagements represent specific scopes of work or services with that entity. One Third-party can have many Engagements, each potentially with its own tier, assessments, and contracts.

4A risk team must group third parties by criticality so that higher-risk relationships receive deeper diligence. Which TPRM concept supports this?

A.Tiering

B.Calculator groups

C.Service offerings

D.MITRE ATT&CK mapping

Explanation: Tiering classifies third parties (or engagements) into levels such as Tier 1, 2, 3 based on inherent risk and business criticality. Higher tiers trigger more detailed assessments, more frequent reviews, and tighter contractual controls. Tiering is foundational to risk-based TPRM.

5Which standardized questionnaire is most commonly used by TPRM programs to evaluate a third party's information security posture?

A.SIG (Standard Information Gathering)

B.ITIL Foundation Test

C.MITRE ATT&CK Navigator

D.PCI Self-Assessment Questionnaire

Explanation: The Standard Information Gathering (SIG) questionnaire, published by Shared Assessments, is the de facto standard used in third-party risk assessments. ServiceNow TPRM ships with SIG Lite and SIG Core templates that map to control libraries and accelerate diligence.

6What is the primary purpose of the Third-Party Portal in ServiceNow TPRM?

A.To allow third parties to view internal change requests

B.To give third parties a self-service interface for completing assessments and submitting evidence

C.To replace the Service Catalog for internal users

D.To stream real-time threat intelligence to vendors

Explanation: The Third-Party (Vendor) Portal is an external-facing site where contacts at the third party can answer assessment questionnaires, attach evidence (SOC 2 reports, ISO certificates), respond to issues, and update profile information. It removes email back-and-forth and creates an auditable record.

7Which type of assessment is triggered automatically when a significant external event, such as a publicly disclosed breach at a vendor, occurs?

A.Initial assessment

B.Periodic assessment

C.Event-driven assessment

D.Continuous monitoring poll

Explanation: Event-driven assessments are launched in response to an event such as a breach, regulatory action, financial-distress signal, or major news item. They differ from Initial assessments (run during onboarding) and Periodic assessments (run on a fixed cadence such as annually).

8Which U.S. regulatory guidance has historically been the most influential reference for U.S. bank third-party risk programs?

A.OCC Bulletin 2013-29

B.NIST SP 800-53 Revision 5

C.ISO/IEC 27001:2022

D.PCI DSS 4.0

Explanation: OCC Bulletin 2013-29 established expectations for national banks' third-party risk-management programs covering risk assessment, due diligence, contract negotiation, ongoing monitoring, termination, and oversight. It was succeeded by the 2023 Interagency Guidance on Third-Party Relationships but remains the historical anchor.

9A risk officer wants to detect when too many critical services depend on the same hosting provider. Which TPRM analysis addresses this?

A.Concentration risk analysis

B.Inherent risk scoring

C.Geopolitical risk lookup

D.ESG questionnaire

Explanation: Concentration risk analysis surfaces clustering of dependencies on a single third party, fourth party, geography, or service category. ServiceNow TPRM concentration views aggregate engagements, services, and sub-tier vendors so leadership can see where a single failure could disrupt many lines of business.

10Which integration partners are pre-built in ServiceNow TPRM to provide continuous external cyber-risk ratings?

A.BitSight, SecurityScorecard, and RiskRecon

B.Splunk, Datadog, and New Relic

C.Okta, Azure AD, and Ping

D.Tenable, Qualys, and Rapid7

Explanation: ServiceNow TPRM ships with packaged integrations for BitSight, SecurityScorecard, and RiskRecon (Mastercard) for continuous cyber-risk ratings. These feeds bring external scan-based scores into the third-party record so analysts can react between formal assessment cycles.

About the ServiceNow CIS-TPRM Exam

The ServiceNow CIS-TPRM exam validates implementation skills for Third-Party Risk Management, the broader successor to Vendor Risk Management. The blueprint covers the third-party lifecycle, tiering, assessments and SIG, continuous monitoring, contracts and SLAs, concentration and geographic risk, sub-tier visibility, and AI/resilience considerations.

Questions

60 scored questions

Time Limit

90 minutes

Passing Score

Not publicly disclosed

Exam Fee

$300 (ServiceNow / Pearson VUE)

ServiceNow CIS-TPRM Exam Content Outline

15%

Third-Party Lifecycle and Program Foundations

Onboarding, Active Management, and Offboarding/Retirement; how TPRM differs from VRM; engagements vs. third-party records; intra-group and non-contracted relationships.

20%

Profiling, Tiering, and Risk Domains

Third-party profile attributes, inherent vs. residual risk, tier inputs, and the Cyber, Operational, Financial, Strategic, Compliance, Geopolitical, ESG, and Concentration domains.

20%

Assessments, SIG, and Calculator Groups

Initial, periodic, and event-driven assessments; SIG Lite and Core; templates and scoping; calculator groups; control libraries; reuse and trend comparison.

15%

Continuous Monitoring and Cyber Ratings

Packaged integrations to BitSight, SecurityScorecard, and RiskRecon; rating-trend analysis; threshold-based event triggers; entity reconciliation; finding mapping.

15%

Portal, Issues, Remediation, and Reporting

Third-Party Portal usage, evidence management, issues and remediation tasks, risk acceptance, role-based access, and Performance Analytics reporting.

15%

Contracts, Concentration, Sub-Tier, and Regulatory Alignment

Right-to-audit and SLA clauses, concentration and geographic risk, sub-tier and fourth-party visibility, AI vendor risk, exit plans, FFIEC, OCC 2013-29, the 2023 Interagency Guidance, and EBA outsourcing guidelines.

How to Pass the ServiceNow CIS-TPRM Exam

What You Need to Know

Passing score: Not publicly disclosed
Exam length: 60 questions
Time limit: 90 minutes
Exam fee: $300

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

ServiceNow CIS-TPRM Study Tips from Top Performers

1Anchor every concept to the third-party lifecycle: Onboarding, Active Management, Offboarding/Retirement.

2Practice the difference between Engagements and Third-party records and when each carries its own tier, contract, and risk score.

3Memorize the eight risk domains (Cyber, Operational, Financial, Strategic, Compliance, Geopolitical, ESG, Concentration) and the typical signals that map to each.

4Drill SIG Lite vs. SIG Core scoping and how calculator groups, control libraries, and templates support reuse.

5Practice translating cyber-rating drops, sanctions hits, and breach events into event-driven assessments and Issues with remediation tasks.

6Keep regulatory anchors handy: FFIEC, OCC Bulletin 2013-29, the 2023 Interagency Guidance on Third-Party Relationships, EBA Outsourcing Guidelines, and DORA for ICT third parties.

Frequently Asked Questions

What is the difference between ServiceNow TPRM and VRM?

ServiceNow Third-Party Risk Management (TPRM) extends the older Vendor Risk Management capability to cover any third-party relationship, including agents, brokers, distributors, joint-venture partners, and intra-group entities even when there is no formal procurement contract. VRM was originally focused on contracted suppliers. CIS-TPRM tests this broader scope, including non-vendor relationships.

How many questions are on CIS-TPRM and how long do I get?

ServiceNow lists 60 questions and a 90-minute time limit for the CIS-TPRM mainline exam. The exam uses multiple-choice and multiple-select items delivered through Pearson VUE at a test center or via OnVUE remote proctoring where available.

What score do I need to pass?

ServiceNow does not publish a fixed public passing percentage for CIS-TPRM. The blueprint states results are compared against an internal cut score that is not publicly shared and is not always 70%. Consistently scoring 80%+ on practice questions is a reasonable internal target.

What does the CIS-TPRM exam cost in 2026?

The current mainline TPRM exam fee is approximately $300 USD. ServiceNow charges a separate retake fee for CIS-level mainline exams. Registration happens through ServiceNow University and the exam is delivered through Pearson VUE.

What should I study most heavily?

Spend the most time on tier-driven diligence and assessments because the exam emphasizes implementation judgment around SIG, calculator groups, and event-driven assessments. Also master the third-party lifecycle, continuous monitoring with cyber-rating providers, concentration and sub-tier reporting, and how TPRM aligns with FFIEC, OCC 2013-29, the 2023 Interagency Guidance, and EBA Guidelines on Outsourcing Arrangements.

Is CIS-VRM a prerequisite for CIS-TPRM?

ServiceNow treats TPRM as the broader successor to VRM. Candidates with VRM background carry over many concepts, but the CIS-TPRM blueprint expands scope to non-contracted relationships, AI vendor risk, resilience, and concentration analysis. Hands-on TPRM experience is more useful than a prior VRM credential.