Due Diligence (DD) and Due Care (DC)

Due Diligence (DD) is more specific than Due Care (DC) because DD has explicit “standards,” while DC is implicit and relies on a judge’s inner conviction per the prudent man rule.

Due Diligence (DD)

“Investigation” is a generally accepted “standard” of DD across industries. Some laws or regulations may define the standard of DD in certain subject domains. For example, the US regulation, 16 CFR § 682.3, defines the DD standard for the proper disposal of consumer information.

Generally speaking, DD emphasizes investigation as a preventive/proactive measure, establishing and maintaining the management system (policies, standards, procedures, controls, etc.) and ensuring its effectiveness.

Due Care (DC)

DC focuses on exercising best effort and reasonable care to conduct activities and take preventive, detective, corrective, or recovery actions. However, it is not easy to measure the degree of the endeavor of DC. That’s why a defender in the court has to justify he or she has exercised “due care” to the judge.

DD and DC

It’s common for CISSP aspirants to use the following mnemonics:

  • DD: Do Detect
  • DC: Do Correct

Establishing Policy Framework as Due Diligence

John Smith posts an interesting question about policy framework and due diligence today as follows:

Due diligence, generally speaking, is a cautious investigation that informs decision-making or a course of proactive and preemptive actions. Due care is the reasonable care used by a prudent man to implement the decision, exercise one’s duties, or conduct any activities; negligence, or without exercising due care, might lead to litigations.

Due diligence can be explicitly measured by a standard, while due care is implicit and determined by court judges.

Standard of Due Diligence

The definition of due diligence varies across contexts or industries. There should be a “standard of due diligence” for each context to measure if due diligence is fulfilled. For example, a lawyer is subject to legal due diligence. Kayode Omosehin, Esq. has a good explanation of this topic.

However, when it comes to information security, what is the standard of “security due diligence,” and who is subject to the standard? The CISSP CBK 4th edition proposed a list of tasks as the following diagram shows:

Policy Framework

The management is typically in charge of the creation of Policies, Standards, or Procedures (or policy framework). IMO, setting up the policy framework is the management’s due diligence as policies stand for management intention, and the fact that policies entail informed decisions is proactive in nature.

CISSP PRACTICE QUESTIONS – 20201009

Your company is growing sharply. Buying out a prominent partner is an initiative of its growth strategy. As a CISO, which of the following should be conducted before the acquisition?
A. Security audits
B. Risk treatment
C. Due care to avoid negligence
D. Preemptive or proactive investigations

Continue reading

CISSP PRACTICE QUESTIONS – 20200222

Your company is a direct bank that relies entirely on internet banking; its shares are public-traded. You are exercising due diligence surveying applicable laws and regulations to your company. Which of the following has a profound effect on corporate governance and holds directors and officers personally liable for the accuracy of financial statements?
A. GDPR
B. GLBA
C. SOX
D. HITECH

Continue reading

Due Diligence and Due Care – Part 2

Due diligence is a reasonable amount of careful and persistent work or effort, and due care lies at the core of due diligence.

  • Individuals, organizations, or even nations exercise due diligence to inform risk-based decision making to avoid loss and liability.
  • They use due care to ensure the decision is made and implemented without negligence. Negligence is a failure to exercise the care that a reasonably prudent person would exercise under similar circumstances; that is, lack of due care.

Due care means “the degree of care that a prudent and competent person engaged in the same line of business or endeavor would exercise under similar circumstances. Due care does not permit willful ignorance.” (16 CFR § 1107.2)

Due diligence can be part of the risk assessment process. People typically exercise due diligence, as a preemptive or proactive measure, by checking things out or conducting investigations to inform risk-based decision making.

As due diligence focuses on risk-based decision making, it is more often for the management to exercise due diligence than others. In contrast, everybody has to use due care to get things done without negligence.

Standard of Due Diligence

However, how much diligence or how diligent is enough to meet the standard of due diligence? There is no uniform or widely agreed standard, and it varies across professions or contexts. For example, in the context of a merger & acquisition case, the following professional due diligence may be performed:

  • Financial due diligence may focus on uncovering any financial abnormalities.
  • Legal due diligence may involve analyzing the company’s agreements, licenses, ownership, and legal standing to operate.
  • Information security due diligence may contain activities such as data leakage review, cyber health check, supply chain risk assessment, SDLC and DevOps evaluation, and so forth.

Security Operations Due Diligence

When it comes to security operations, according to the Official (ISC)² Guide to the CISSP CBK 4th edition, examples of due diligence for security professionals in an organization include but are not limited to:

  • Background checks of employees
  • Credit checks of business partners
  • Information system security assessments
  • Risk assessments of physical security systems
  • Penetration tests of firewalls
  • Contingency testing of backup systems
  • Threat intelligence services used to check on the availability of company Intellectual Property (IP)

The Official (ISC)² CISSP Study Guide states:

  • Due care is using reasonable care to protect the interests of an organization.
  • Due diligence is practicing the activities that maintain the due care effort.

Due Diligence

  • detailed assessment of one or more business processes or production lines, culture, assets, liabilities, intellectual property, judicial and financial situation in order to make the outsourcing decisions. (ISO 37500:2014)
  • detailed assessment conducted by an economic operator to evaluate a supplier’s compliance with the guidance principles.
    Note 1 to entry: In the context of the guidance principles, due diligence is conducted through second-party audits or third-party audits and, wherever feasible, regularly monitored through government inspections and oversight. (ISO/IWA 19:2017)
  • comprehensive, proactive process to identify the actual and potential negative social, environmental and economic impacts of an organization’s decisions and activities over the entire life cycle of a project or organizational activity, with the aim of avoiding and mitigating negative impacts. (ISO 26000:2010)
  • process through which organizations proactively identify, assess, prevent, mitigate and account for how they address their actual and potential adverse impacts as an integral part of decision-making and risk management. (ISO 20400:2017)
  • compilation, comprehensive appraisal and validation of information of an organization required for assessing accuracy, commercial integrity, financial stability and functional competence integrity at the appropriate stage of the agreement sourcing process (ISO 41011:2017)
  • process to further assess the nature and extent of the bribery risk and help organizations make decisions in relation to specific transactions, projects, activities, business associates and personnel. (ISO 37001:2016)

CISSP PRACTICE QUESTIONS – 20200124

As a CISSP working for a direct bank based in Taiwan that relies entirely on internet banking that involves credit card business, you are reviewing compliance requirements. Which of the following is least related to the compliance issue?
A. Customer’s contracts
B. Foreign laws
C. (ISC)² Code of Ethics
D. Due diligence in mergers and acquisitions
Continue reading

CISSP PRACTICE QUESTIONS – 20191220

You are sitting for the CISSP exam. An agreement is displayed on the screen requiring that you, as an exam taker, cannot share any content of the exam with others. After reviewing it, you click “I agree” and proceed to start the exam. Which of the following best describes your behavior?
A. Accountability
B. Digital signature
C. Due care
D. Due diligence

Continue reading

Due Diligence and Due Care – Part 1

The following is my definition of Due Diligence and Due Care. As I am not a lawyer, I just interpret them from my point of view and avoid to relate them to the context of the laws.

Due Diligence

The core concept of due diligence is about making informed decisions. A decision should be made based on sufficient information and justifications. If a decision-maker can’t do so, he or she doesn’t exercise due diligence. The decision-maker often implies the management.

CISSP PRACTICE QUESTIONS – 20190915

  • Security Due Diligence
  • Financial Due Diligence
  • Operational Due Diligence
  • Legal Due Diligence
  • Human Rights Due Diligence

Due Care

The core concept of due care is about a reasonable person’s compliance and best efforts. A reasonable person should do his or her duty according to the organization’s policies, standards, and procedures; and with best efforts. Lack of due care is called negligence. The reasonable person role applies to everyone.


Due Diligence

  • detailed assessment of one or more business processes or production lines, culture, assets, liabilities, intellectual property, judicial and financial situation in order to make the outsourcing decisions. (ISO 37500:2014)
  • detailed assessment conducted by an economic operator to evaluate a supplier’s compliance with the guidance principles.
    Note 1 to entry: In the context of the guidance principles, due diligence is conducted through second-party audits or third-party audits and, wherever feasible, regularly monitored through government inspections and oversight. (ISO/IWA 19:2017)
  • comprehensive, proactive process to identify the actual and potential negative social, environmental and economic impacts of an organization’s decisions and activities over the entire life cycle of a project or organizational activity, with the aim of avoiding and mitigating negative impacts. (ISO 26000:2010)
  • process through which organizations proactively identify, assess, prevent, mitigate and account for how they address their actual and potential adverse impacts as an integral part of decision-making and risk management. (ISO 20400:2017)
  • compilation, comprehensive appraisal and validation of information of an organization required for assessing accuracy, commercial integrity, financial stability and functional competence integrity at the appropriate stage of the agreement sourcing process (ISO 41011:2017)
  • process to further assess the nature and extent of the bribery risk and help organizations make decisions in relation to specific transactions, projects, activities, business associates and personnel. (ISO 37001:2016)

CISSP PRACTICE QUESTIONS – 20190915

You are the CISO of a global company and participating in an executive meeting with an agenda to acquire a company as part of the corporate growth strategy. The CEO is concerned with the compliance of due diligence in this acquisition. As a CISO, which of the following is the best for you to contribute to this project?
A. Review the acquisition contract and identify potential contractual risks
B. Build a tiger team to conduct security testing to identify potential vulnerabilities and threats.
C. Train and educate the security staff of the acquired company about corporate security policies.
D. Conduct a comprehensive security assessment and identify the gap between corporate security policies.

Continue reading