editione1.0.0
Updated October 9, 2023In this section we walk through the typical stages of due diligence.
Figure: The typical workflow of a due diligence process.
The organization conducting the due diligence will contact you or your team to kick off the process.
The aim of this stage is to start off the relationship and set expectations of process and timelines, as well as give everyone an opportunity to ask initial questions about the process
Key activities:
Make a connection and set up the start of a collaborative and sharing relationship. Remember that these things don’t need to be adversarial.
Prepare your questions in advance so you can ask about and understand the process, how long it will take, and what you will be required to do.
The due diligence process is underway and you will receive a set of questions about your approaches to common security challenges and risks.
This is commonly referred to as “the questionnaire,” a reference to the high number of questions and typical format of this stage.
Key activities:
Read through the questionnaire thoroughly before you start to answer.
If the questionnaire is a spreadsheet, take a copy and work from your copy to allow for review and finalization.
If the questionnaire is delivered via an online tool, create your account and ask for any other required accounts to be created for team members. Remember that account sharing isn’t good security practice, so lets start on the right foot and give everyone who needs access their own account.
Check for evidence requirements and understand what the questions are asking. Your aim is to answer the specific questions asked and provide evidence of your answer as requested.
Get organized with your answers and evidence. Remember to use good plain language where possible and complete sentences. If there is something you don’t do, provide a brief explanation as to why.
Consider what information you can hand over. You likely cannot provide a list of your customers, some internal security processes, sensitive information, etc.
Don’t wax lyrical and provide information beyond what they need. Aim for “Yes, we do X.”
When it comes to evidence, make it easy to find. Name your files in relation to the question that they relate to and keep them up to date.
If evidence is used for more than one question, consider whether you should provide a cross-reference guide mapping evidence to questions, or whether you simply add a second version of the same evidence with a new name.
Evidence files should be easy to review and navigate. Remember to use common formats like PDF or images where appropriate and to consider if any data is lost when converting to these formats. For example, Google Docs files will lose their automatically generated table of contents in the conversion so you may wish to create a static table of contents in these cases.
The assessor will go through your answers and any evidence shared so far to identify risks.
Key activities:
In most cases, the assessor will need to ask you questions about your answers. Don’t forget, they don’t know your environment or processes, so if your answers or evidence were unclear or they want to gain additional context, they may go through your responses with you and your team in a call or interview.
Key activities:
Help set the scene early on. If you can provide additional documentation about your business architecture or structure, this will help.
Remember your assessor doesn’t know your product or business at all, they are a process in procurement and may not have heard of your organization before this point. Be helpful and help them understand why your product or service is being chosen and where it will fit into their organization’s operations.
Don’t be afraid to say “I don’t have that” or “I don’t know” and offer to get back to them if a question catches you off guard or you need time to get better evidence.
Use this process as a chance to share your approaches and reasons behind your decisions, as well as the technical details. Sometimes the reasons behind the decisions allow us to understand the risk in more depth.
The assessor will consider their findings and reach a decision based on the amount of risk associated with using your company, product, or service.
Key activities:
As well as the overall outcome (typically pass/fail), this stage may also provide feedback on their assessment and any risks they have identified.
Use this feedback to suggest security updates and plan future improvements.
If the result is successful, you may proceed with procurement.
If the result is not successful, they should communicate your options for reassessment. (Please note that not all processes allow for reassessment and you should not count on this.)
In the event of an unsuccessful assessment, some organizations will offer a window to fix any issues identified and resubmit.
Key activities:
Remember that reassessments vary, some will just look at the change you have made, others will start the entire assessment process with a new assessor.
Kick off your reassessment efforts with a good structure. Ask the assessor:
How long do you have to resubmit?
What issues need to be addressed?
How many reassessments are permitted?
What is the reassessment process?
Maybe you’ve completed the really long questionnaire and there are questions you couldn’t answer. Or perhaps you have submitted your responses and received feedback, identifying some gaps in your approach.
First, take a breath. This is normal.