Standards in third party risk management are best described as what?

Standards are the concrete, actionable criteria that operationalize policy expectations in third-party risk management. They specify what must be done and how well it must be done, providing measurable requirements that you can audit and enforce. By detailing the specific controls, thresholds, and performance criteria vendors must meet, standards create a consistent basis for evaluation, monitoring, and remediation across all third parties. They sit between policy and execution, turning high-level rules into observable expectations. Step-by-step procedures describe how to perform tasks, which is not the same as the measurable criteria and outcomes captured in standards. Legal terms and contract language pertain to the agreement itself, not the internal criteria used to assess and enforce compliance.