- The CTPRP covers four equal domains (25% each), so no single area can be deprioritized during prep.
- SHARED Assessments publishes the official Body of Knowledge - it is the single most important document you will read.
- Domain 3 (Controls Evaluation) demands hands-on familiarity with SIG questionnaires and SSAE 18 reports, not just definitions.
- Practice tests mapped to CTPRP's four domains are the fastest way to identify which 25% of the exam is your weakest.
What the CTPRP Actually Tests
Before you spend a dollar on study materials, you need a clear picture of what the Certified Third Party Risk Professional (CTPRP) examination is actually measuring. This is not a general information-security certification repackaged with a new name. The CTPRP is administered by SHARED Assessments and is built specifically around the discipline of third-party risk management - the structured process organizations use to evaluate, onboard, monitor, and offboard external vendors, suppliers, and service providers.
The exam is organized into four domains, each carrying exactly 25% of the total weight:
Domain 1: Third-Party Risk Management Foundation
This domain establishes the conceptual and regulatory groundwork for everything else. Candidates must understand why TPRM exists as a formal discipline, the regulatory and contractual drivers behind it, and the vocabulary the industry uses.
- Regulatory expectations from bodies such as the OCC, FFIEC, and GDPR frameworks
- Definitions and scope of "third party," "fourth party," and "Nth party" risk
- Risk taxonomy: operational, reputational, compliance, strategic, and concentration risk
- Governance structures and board-level accountability for vendor risk
Domain 2: TPRM Program Design and Structure
Moving from theory to architecture, Domain 2 tests your ability to design a functioning TPRM program from the ground up. This is where candidates who have only read about TPRM - rather than lived it - tend to struggle.
- Risk tiering methodologies and how to classify vendors by inherent risk
- Policy and procedure frameworks for due diligence and ongoing monitoring
- Roles and responsibilities across first, second, and third lines of defense
- Technology platforms and workflow design for TPRM at scale
Domain 3: Controls Evaluation in TPRM
Domain 3 is where the exam gets highly technical. Candidates must be comfortable reading and interpreting third-party control documentation - not just assigning scores to checkboxes.
- Standardized Information Gathering (SIG) questionnaire structure and use
- SOC 1, SOC 2, and SOC 3 report interpretation (SSAE 18 standards)
- Penetration testing, vulnerability assessments, and what their outputs mean
- Residual risk determination after reviewing third-party evidence
Domain 4: TPRM Program Operations and Implementation
The final domain brings everything together at the operational level. This includes the day-to-day mechanics of running a TPRM program and managing the full vendor lifecycle.
- Onboarding and contracting requirements including right-to-audit clauses
- Continuous monitoring techniques and trigger-based reassessment
- Incident response coordination with third parties
- Program metrics, KRIs, KPIs, and reporting to senior management
Understanding this structure before selecting study materials prevents one of the most common and costly mistakes: buying materials that cover cybersecurity broadly but miss the vendor lifecycle operations content that Domain 4 heavily tests. For a detailed look at how these domains map to question format and timing on exam day, see the CTPRP Exam Format 2026: Question Types and Time Limits guide.
Official and Primary Study Resources
The SHARED Assessments Body of Knowledge
Every serious CTPRP candidate starts here. SHARED Assessments publishes a Body of Knowledge (BoK) document that defines the scope of all four exam domains in precise detail. It is the authoritative outline against which every other resource should be measured. If a textbook chapter doesn't map to something in the BoK, deprioritize it.
SHARED Assessments Training Courses
SHARED Assessments offers instructor-led and self-paced training courses developed specifically for CTPRP candidates. These courses are written by the same organization that writes the exam, which gives them a structural advantage no third-party textbook can match. The course content walks through all four domains with applied scenarios drawn from real vendor risk assessments. If budget allows, this is the highest-fidelity preparation available.
The SIG Questionnaire Itself
For Domain 3 specifically, reading the SIG questionnaire documentation is not optional - it is required. The SIG (Standardized Information Gathering) is SHARED Assessments' flagship tool, and Domain 3 tests your ability to use and interpret it. Download the SIG Lite at minimum. Understand how control categories are organized, what "inherent risk" scores drive scope selection, and how responses map to risk findings. No textbook substitute exists for reading the actual instrument.
Resource Mapping by Domain
Not all study materials are equally useful across all four domains. The table below maps resource types to the domains where they deliver the highest return on study time.
| Resource | Best For Domain(s) | Format | Notes |
|---|---|---|---|
| SHARED Assessments BoK | All four domains | PDF reference | Defines exam scope; non-negotiable starting point |
| SHARED Assessments Training | All four domains | Course (ILT or self-paced) | Written by exam developers; highest fidelity |
| SIG Questionnaire Documentation | Domain 3 | Downloadable tool | Essential for controls evaluation questions |
| SSAE 18 / SOC Report Guides | Domain 3 | AICPA publications | Understand Type I vs. Type II, scope, complementary controls |
| OCC Third-Party Risk Guidance | Domain 1, Domain 2 | Regulatory bulletin (free) | OCC 2013-29 and 2021 interagency guidance are frequently referenced |
| CTPRP Practice Tests | All four domains | Online question bank | Critical for identifying weak domains before exam day |
| ISO 27001 / NIST SP 800-161 | Domain 1, Domain 3 | Standards documents | Supply chain risk management framework context |
Why Practice Tests Are Non-Negotiable
The CTPRP exam tests applied knowledge, not memorized definitions. Questions present scenarios - a vendor has submitted a SOC 2 Type I report instead of a Type II, your organization's risk tier methodology doesn't account for fourth-party exposure, a contract lacks a right-to-audit clause - and you must select the most appropriate response from options that are all plausible.
This means passive reading alone, even of excellent materials, leaves a dangerous gap. You need to practice retrieving knowledge under conditions that approximate the exam. CTPRP Exam Prep practice tests are designed specifically around the four CTPRP domains, presenting scenario-based questions that mirror the applied reasoning style the exam uses. Using them early in your preparation - not just at the end as a final check - reveals which domains need more study time before you've locked in a test date.
After working through the official materials and regulatory guidance, return to CTPRP practice questions regularly. The goal is not to memorize the practice answers but to build the reasoning patterns the exam rewards - recognizing what a "controls evaluation finding" actually means in operational context, or what the correct escalation path looks like when a critical vendor fails a reassessment.
A Domain-Anchored Study Schedule
For candidates studying over eight weeks with roughly ten hours per week available, a domain-anchored schedule outperforms generic week-by-week plans. The logic: each CTPRP domain requires a different type of cognitive engagement, and grouping by domain lets you build context before switching modes.
Orientation and Diagnostic
- Read the full CTPRP Body of Knowledge and Candidate Handbook
- Complete a timed diagnostic practice test to establish a baseline
- Note which of the four domains produced the lowest scores
Domain 1 and Domain 2: Foundation and Program Design
- Read OCC Third-Party Risk Guidance (2013-29 and 2021 interagency guidance)
- Review SHARED Assessments training content for Domains 1 and 2
- Map regulatory requirements to program design components (risk tiering, policy framework)
- Practice scenario questions focused on program architecture decisions
Domain 3: Controls Evaluation - The Technical Core
- Work through SIG Lite and SIG Full documentation; understand category structure
- Read AICPA guidance on SOC 2 reports; practice interpreting sample Type II reports
- Study SSAE 18 standards and complementary user entity controls
- Do focused Domain 3 practice questions daily - this domain rewards repetition
Domain 4: Operations, Lifecycle, and Metrics
- Review vendor lifecycle stages: inherent risk assessment → due diligence → contracting → monitoring → offboarding
- Study KRI and KPI frameworks for TPRM reporting to senior management
- Practice incident response and business continuity scenarios involving third parties
- Review right-to-audit clause language and what triggers a reassessment
Integrated Review and Final Practice
- Take two full-length timed practice exams under realistic conditions
- Review every incorrect answer and trace it back to the relevant BoK section
- Focus final reading on your two weakest domains from Week 1 diagnostic
Supplementary Materials Worth Your Time
Regulatory Guidance Documents (Free)
Several free regulatory publications provide essential context for Domains 1 and 2. The OCC's guidance on third-party relationships, the FFIEC IT Examination Handbook chapters covering service provider oversight, and the 2021 interagency guidance on third-party relationships from the Federal Reserve, OCC, and FDIC collectively establish the regulatory framework that the exam treats as baseline knowledge. These are public documents - download them directly from the issuing agencies.
NIST SP 800-161 (Supply Chain Risk Management)
NIST's supply chain risk management publication is referenced frequently in TPRM program design discussions. It doesn't need to be read cover to cover, but candidates should understand its framework structure and how it relates to vendor risk tiering and controls selection in Domains 2 and 3.
ISO 27001 Annex A Controls
ISO 27001's control set appears in Domain 3 contexts, particularly when evaluating third-party information security practices. You do not need to memorize every control number, but understanding the control categories and how organizations use ISO 27001 certification as third-party evidence is exam-relevant.
Key Takeaway
The highest-value free resources for CTPRP prep are regulatory guidance documents - OCC, FFIEC, and FDIC publications - not general cybersecurity textbooks. Spend time on the documents that practitioners in vendor risk management actually use on the job.
CTPRP Exam Format Awareness
Understanding how the exam is structured - question format, total item count, and time allocation - changes how you study. For the complete breakdown of question types and pacing strategy, the CTPRP Exam Format 2026: Question Types and Time Limits article covers this in detail and is worth reading before you finalize your study approach.
What to Skip (and Why)
The CTPRP prep market is small enough that some candidates default to materials written for adjacent certifications - CISA, CISSP, CRISC, or even ISO 27001 Lead Auditor prep. These are not substitutes, and spending significant time on them risks crowding out the TPRM-specific content the exam actually tests.
- General cybersecurity textbooks: They cover technical security controls in depth but say little about vendor lifecycle management, SIG questionnaires, or third-party regulatory compliance - the content that differentiates the CTPRP from an information security exam.
- CISA or CRISC study guides: While there is topical overlap in risk concepts, neither certification's body of knowledge addresses TPRM program design, inherent risk tiering, or SIG-based controls evaluation the way the CTPRP does. Using these as primary resources leads to significant content gaps.
- Vendor-specific GRC platform training: Learning how to configure a specific third-party risk management platform is useful for the job, but the CTPRP tests platform-agnostic concepts. GRC tool certifications will not prepare you for exam questions on program design principles or regulatory expectations.
Frequently Asked Questions
SHARED Assessments does not publish a standalone textbook in the traditional sense. The primary study resource is their official training course (available in instructor-led and self-paced formats), supplemented by the Body of Knowledge document and the SIG questionnaire. The combination of official training content plus regulatory guidance documents and practice tests covers the exam content comprehensively.
Professional experience in TPRM or a closely related role is genuinely helpful, particularly for Domains 2 and 4, which test applied program design and operational judgment. However, candidates without direct TPRM experience can and do pass by studying the official materials thoroughly, engaging with regulatory guidance documents, and using scenario-based practice testing to build applied reasoning skills.
Start with Domain 1 (TPRM Foundation) to establish the regulatory and conceptual context that makes the other three domains coherent. Then prioritize Domain 3 (Controls Evaluation), where your security background will give you a head start on technical content. Allocate extra time to Domain 2 and Domain 4, which focus on program design and operational lifecycle management - areas less likely to be covered by a security-focused background.
Yes. Domain-mapped CTPRP practice tests are available at the CTPRP Exam Prep site and cover all four exam domains with scenario-based questions similar in style to the actual exam. Using a full-length practice test early in your preparation as a diagnostic tool - then retaking domain-specific question sets after targeted study - is an effective approach for identifying and closing knowledge gaps efficiently.
Study duration varies based on professional background and familiarity with TPRM concepts. Candidates with direct vendor risk management experience may find six to eight weeks of focused preparation sufficient. Those coming from adjacent fields like information security or compliance without TPRM-specific experience typically benefit from a longer preparation window of ten to twelve weeks to ensure all four domains receive adequate coverage.