I think certificaton cannot solve third party risk management, because cybersecurity cannot be standardized. Every process, every customer, has a different risk need, so the only way to approach it is to make advances in how to measure security capabilities, because trying to define what are the cybersecurity requirements for every use case is impossible