Third-party due diligence is the process of reviewing external vendors, partners, or providers before and during a relationship to understand risk and trustworthiness. It matters because organizations often depend on outside parties that can introduce security, privacy, operational, and regulatory exposure.
What is Third-Party Due Diligence?
Third-party due diligence involves gathering and evaluating evidence about an external party’s controls, practices, resilience, ownership, risk profile, and ability to meet contractual or regulatory expectations. It often happens before onboarding and continues through periodic review or trigger-based reassessment.
Good due diligence helps prevent weak vendor decisions, supports risk-based approvals, and improves confidence in external relationships that matter to the business.
What Due Diligence Commonly Reviews
Common review areas include security controls, privacy practices, financial stability, compliance evidence, incident history, resilience, subprocessor use, access methods, insurance, contractual terms, and material business dependencies.
Third-Party Due Diligence vs. Vendor Risk Management
Due diligence is a core activity within broader vendor or third-party risk management. It focuses more directly on the investigation and evidence review used to support trust decisions.
Frequently Asked Questions
Why does third-party due diligence break down?
It often breaks down when reviews are too shallow, too generic, too slow, or disconnected from actual business criticality and data exposure.
Is due diligence a one-time exercise?
No. Important third parties should be reassessed when risk changes, services expand, incidents occur, or review cycles require updated evidence.
