Deep Dive - Vendor Due Diligence

Due diligence activities are performed over new vendors and service providers before contract execution. Due diligence activities include assessing information security (and data privacy) practices based on the assessed level of vendor risk. It is only necessary to document due diligence activities for new vendors that will significantly impact your business or IT environment. Usually, this is defined as any new vendor processing PII or other sensitive or confidential data or any new vendor where, if they experienced downtime or you suddenly lost access to their service, it would disrupt your business.

All of them!

This control aims to establish security and privacy requirements for all vendors to protect your organization’s assets, data, and personally identifiable information (“PII”) and then to ensure they are still in place over time.

Typical control owner: Vendor Manager or Compliance Officer

Typical parties involved: CFO, CEO, COO, and/or any parties involved in engaging with vendors

Vendor due diligence should be conducted whenever a significant new vendor is considered for onboarding. New vendor due diligence is covered in a tab in the Risk Register template, so new vendors should be tracked there. Once a new vendor has been brought on board, the vendor should be moved from the new vendor due diligence tab to the spreadsheet's general risk register tab.

To perform initial due diligence activities, assess the potential vendor based on a standard set of criteria. For example, do they have a SOC 2 report, or can they share some information security policies? Are they a legitimate business - how sure are you they won’t go under? You can create the assessment criteria based on what is important to your business.

Hot Tip: Calendar a reminder 45 days ahead of each vendor’s contract renewal date to ensure adequate time for the service provider to submit due diligence documents for your organization’s review.

Utilize our updated Vendor Risk Register template: