When it comes to CISSP, the definition of Due Diligence (DD) is obscure and inconsistent.
IMO, DD entails defining a standard in terms of contexts. The standard of DD in the legal sector is different from the one in finance.
The Audit Office of New South Wales defines the standard of DD in terms of third-party engagement. It’s a good practice.
Standard of Due Diligence
However, how much diligence or how diligent is enough to meet the standard of due diligence? There is no uniform or widely agreed standard, and it varies across professions or contexts. For example, in the context of a merger & acquisition case, the following professional due diligence may be performed:
- Financial due diligence may focus on uncovering any financial abnormalities.
- Legal due diligence may involve analyzing the company’s agreements, licenses, ownership, and legal standing to operate.
- Information security due diligence may contain activities such as data leakage review, cyber health check, supply chain risk assessment, SDLC and DevOps evaluation, and so forth.