Due Diligence, Questionnaires, and Monitoring
Key Takeaways
- Due diligence evaluates vendor risk before sensitive access or data sharing begins.
- Questionnaires are useful only when answers are validated against evidence and risk context.
- Ongoing monitoring tracks control changes, audit reports, incident history, financial health, and SLA performance.
- High-risk vendors need stronger review, clearer evidence, and more frequent monitoring than low-risk suppliers.
- A risk register should document issues, owners, remediation dates, accepted risks, and compensating controls.
Due Diligence, Questionnaires, and Monitoring
Due diligence is the investigation performed before trusting a third party with systems, credentials, facilities, or data. It is not a single form. It is a risk-based review that asks, "What could go wrong if this vendor fails, is compromised, mishandles data, or cannot perform?"
Risk-Based Intake
The first step is scoping. A vendor that delivers office furniture does not need the same review as a cloud provider that stores customer records. Common intake questions include:
- What business process will the vendor support?
- What data types will the vendor access, process, store, or transmit?
- Will the vendor have network, cloud, API, or privileged access?
- Will the vendor use subcontractors?
- Which countries or regions will process or store data?
- Is the service business critical?
- Are regulatory, contractual, or privacy obligations involved?
Questionnaire Topics
| Topic | Example question | Evidence that supports the answer |
|---|---|---|
| Access control | Is MFA required for administrative access? | Admin access policy and sample configuration |
| Encryption | Is sensitive data encrypted in transit and at rest? | Architecture diagram and encryption standard |
| Incident response | How quickly will incidents be reported? | Incident response plan and contract clause |
| Vulnerability management | How are critical vulnerabilities remediated? | Scan summary and remediation SLA |
| Business continuity | Can the vendor continue service after disruption? | BCP test report and recovery objectives |
| Privacy | How are deletion and retention requests handled? | Retention schedule and request workflow |
| Subcontractors | Which fourth parties support the service? | Subprocessor list and notification process |
Questionnaires can create a false sense of security when they are treated as self-proving. Stronger reviews compare answers to independent reports, configuration samples, certifications, test summaries, policies, or technical evidence. The amount of validation should match risk.
Monitoring Scenario
A retail company uses a third-party marketing analytics platform. During due diligence, the vendor states that it does not store payment data and only receives pseudonymous customer IDs, email addresses, campaign events, and consent flags. The company approves the vendor as medium risk.
Six months later, the vendor announces a new integration that enriches customer profiles through a subcontractor. That change may alter data sharing and privacy risk. The company updates the vendor risk record, reviews the new subprocessor, checks whether consent language still matches actual processing, and requires a contract amendment before enabling the integration.
Monitoring is not limited to technical controls. The organization may track SLA misses, breach notifications, audit report exceptions, negative news, financial distress, ownership changes, and missed remediation dates.
Vendor Risk Register
| Finding | Risk | Owner | Due date | Status |
|---|---|---|---|---|
| No formal incident notification test | Delayed breach reporting | Vendor security lead | 2026-06-15 | Open |
| Annual SOC report has backup exception | Recovery uncertainty | Procurement manager | 2026-05-30 | Compensating control requested |
| Subprocessor list changed | New fourth-party privacy risk | Privacy office | 2026-05-10 | Under review |
Common Traps
- Asking every vendor the same questions regardless of risk.
- Accepting "yes" answers without evidence for high-risk services.
- Reviewing the vendor once and never again.
- Ignoring material changes such as new data types, new regions, or new subprocessors.
- Failing to track remediation owners and due dates.
- Treating certifications as complete proof that all contract requirements are met.
A vendor questionnaire says administrative access requires MFA, but the vendor will host sensitive customer data. What is the best next step?
A vendor adds a new subprocessor that will analyze customer data in another region. What risk process is most appropriate?
Which items are useful for ongoing vendor monitoring? Select three.
Select all that apply