Due diligence is a reasonable amount of careful and persistent work or effort, and due care lies at the core of due diligence.
- Individuals, organizations, or even nations exercise due diligence to inform risk-based decision making to avoid loss and liability.
- They use due care to ensure the decision is made and implemented without negligence. Negligence is a failure to exercise the care that a reasonably prudent person would exercise under similar circumstances; that is, lack of due care.
Due care means “the degree of care that a prudent and competent person engaged in the same line of business or endeavor would exercise under similar circumstances. Due care does not permit willful ignorance.” (16 CFR § 1107.2)
Due diligence can be part of the risk assessment process. People typically exercise due diligence, as a preemptive or proactive measure, by checking things out or conducting investigations to inform risk-based decision making.
As due diligence focuses on risk-based decision making, it is more often for the management to exercise due diligence than others. In contrast, everybody has to use due care to get things done without negligence.
Standard of Due Diligence
However, how much diligence or how diligent is enough to meet the standard of due diligence? There is no uniform or widely agreed standard, and it varies across professions or contexts. For example, in the context of a merger & acquisition case, the following professional due diligence may be performed:
- Financial due diligence may focus on uncovering any financial abnormalities.
- Legal due diligence may involve analyzing the company’s agreements, licenses, ownership, and legal standing to operate.
- Information security due diligence may contain activities such as data leakage review, cyber health check, supply chain risk assessment, SDLC and DevOps evaluation, and so forth.
Security Operations Due Diligence
When it comes to security operations, according to the Official (ISC)² Guide to the CISSP CBK 4th edition, examples of due diligence for security professionals in an organization include but are not limited to:
- Background checks of employees
- Credit checks of business partners
- Information system security assessments
- Risk assessments of physical security systems
- Penetration tests of firewalls
- Contingency testing of backup systems
- Threat intelligence services used to check on the availability of company Intellectual Property (IP)
The Official (ISC)² CISSP Study Guide states:
- Due care is using reasonable care to protect the interests of an organization.
- Due diligence is practicing the activities that maintain the due care effort.