Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is Due Diligence in cybersecurity?
Due diligence is the structured investigation an organization performs before making a business decision, such as buying a company, selecting a vendor, signing a contract, or granting system access. In cybersecurity, it verifies whether risks are understood, documented, and acceptable before the relationship begins.
Due diligence in cybersecurity focuses on security controls, data handling, compliance obligations, incident history, access practices, and resilience. NIST describes supplier due diligence as the minimum understanding an acquirer should have about a supplier, and recommends applying it broadly across suppliers, not only critical ones.
Why due diligence matters in cybersecurity
Cyber risk often enters through third parties, acquisitions, cloud tools, contractors, and unmanaged endpoints. Therefore, organizations use due diligence to reduce uncertainty before they inherit a vendor’s vulnerabilities, data exposure, or weak governance.
Moreover, NIST CSF 2.0 includes planning and due diligence before entering supplier or third-party relationships. CISA also provides vendor supply chain risk management questions to support standardized supplier vetting.
What does cybersecurity due diligence include?
| Area | What to review |
|---|---|
| Governance | Security ownership, policies, risk register, audits |
| Data protection | Data types, storage, encryption, retention, privacy controls |
| Access | MFA, privileged access, identity lifecycle, least privilege |
| Endpoint security | Device compliance, patching, configuration, remote wipe |
| Incident readiness | Breach history, response plans, recovery testing |
| Third-party risk | Subprocessors, supplier dependencies, contractual controls |
| Compliance | Relevant regulatory and contractual obligations |
For endpoint-heavy environments, Hexnode can support due diligence by helping organizations demonstrate device visibility, policy enforcement, compliance posture, and remote security controls across corporate and BYOD endpoints.
Due diligence vs risk assessment
| Term | Meaning |
|---|---|
| Due diligence | Investigation before a decision or relationship |
| Risk assessment | Evaluation of likelihood, impact, and treatment options |
| Audit | Formal review against defined requirements |
| Continuous monitoring | Ongoing review after onboarding or approval |
How often should organizations perform cybersecurity due diligence?
Organizations should perform cybersecurity due diligence before onboarding vendors, adopting new technologies, or entering partnerships. However, it should not remain a one-time activity. Regular reviews help identify changes in compliance status, security posture, access permissions, and emerging threats. Continuous oversight is especially important for vendors handling sensitive data, remote endpoints, or critical business operations.
FAQs
No. It applies to vendor onboarding, software procurement, outsourcing, cloud adoption, partnerships, and mergers or acquisitions. However, in M&A, it also helps buyers understand inherited security gaps before deal closure.
Security, legal, procurement, IT, privacy, and business owners usually share responsibility. However, the risk owner should approve the final decision.
It should happen before signing contracts, sharing sensitive data, integrating systems, or granting privileged access. Additionally, organizations should reassess vendors when scope, access, or risk changes.
The outcome is a documented decision: approve, reject, remediate before approval, or accept risk with controls.