Vendor due diligence is a critical process of the vendor risk management (VRM) process and for any business planning to enter into a business relationship with a new supplier, service provider, or subcontractor. The vendor due diligence process is essential for organizations to ensure that their third-party vendors, who typically have access to or manage sensitive data and systems, follow established cybersecurity standards and practices.

By conducting vendor due diligence, organizations can identify and mitigate cybersecurity risks associated with outsourcing services or partnering with external parties. Keep reading for a detailed checklist for conducting vendor due diligence, covering third-party risk management (TPRM), understanding cybersecurity risks, and ensuring compliance with relevant security frameworks, standards, and regulations.

Find out how UpGuard helps businesses assess new vendors >

Why is vendor due diligence important?

Because organizations increasingly rely on third-party vendors for various services, bringing on more vendors also increases their risk of a data breach. This dependency introduces new cyber risks, making vendor due diligence in cybersecurity a necessary precautionary measure and a critical component of an organization's overall cybersecurity strategy.

Organizations can limit their risks and liabilities (such as reputational risk or operational risk) by properly vetting potential vendors during the procurement or vendor selection process and building stronger vendor relationships by establishing security expectations and goals. This is typically done through due diligence questionnaires (DDQ), which are broader in scope than security questionnaires.

However, the vendor due diligence process doesn’t stop after onboarding. Instead, organizations must establish a plan to continue monitoring the vendor and ensure they uphold the security requirements agreed upon during contract negotiations and SLAs throughout the vendor’s lifecycle.

Learn more about vendor due diligence >

What should an IT vendor due diligence checklist include?

Vendor due diligence checklists can vary between organizations, but in general, should include a few basic sections:

  1. Company information and background
  2. Risk management program
  3. Vendor compliance management
  4. Vendor security certifications
  5. Incident response, disaster recovery, business continuity plans
  6. Identify the key decision-making stakeholders

Vendor due diligence checklist template

The following is a short template designed to help companies streamline their vendor risk assessment process. You can customize and update it according to your company’s needs.

Organizational Security

1. Does the vendor have a formal cybersecurity policy in place?

  • Yes
  • No
  • [Insert text field]

2. Is there a dedicated in-house security team responsible for managing potential risks?

  • Yes
  • No
  • [Insert text field]

3. Does the vendor conduct regular security awareness training for its employees?

  • Yes
  • No
  • [Insert text field]

4. Does the vendor conduct background checks on its employees (e.g., are there any politically exposed persons (PEP) or individuals on law enforcement watch lists)?

  • Yes
  • No
  • [Insert text field]

Cybersecurity Risks

5. Has the vendor completed relevant security questionnaires?

  • Yes
  • No
  • [Insert text field]

6. Has the vendor reached an acceptable security rating level or security posture?

  • Yes
  • No
  • [Insert text field]

7. Does the vendor have processes for risk mitigation and remediation?

  • Yes
  • No
  • [Insert text field]

Data Security and Privacy

5. Does the vendor encrypt sensitive data, both in transit and at rest?

  • Yes
  • No
  • [Insert text field]

6. Are there access control policies in place to limit internal access to sensitive information?

  • Yes
  • No
  • [Insert text field]

7. Does the vendor maintain data privacy guidelines that are compliant with relevant regulations (e.g., GDPR, CCPA)?

  • Yes
  • No
  • [Insert text field]

Incident Response and Management

8. Does the vendor have an incident response plan in place?

  • Yes
  • No
  • [Insert text field]

9. Does the vendor maintain business continuity plans or disaster recovery plans in case of a security incident?

  • Yes
  • No
  • [Insert text field]

10. Are all response procedures regularly tested?

  • Yes
  • No
  • [Insert text field]

11. Is there a protocol for notifying key stakeholders and customers in the event of a data breach or other security incident?

  • Yes
  • No
  • [Insert text field]

Compliance and Certifications

12. Is the vendor compliant or certified with relevant cybersecurity frameworks and standards (e.g., ISO 27001, SOC 2)?

  • Yes
  • No
  • [Insert text field]

13. Does the vendor undergo regular third-party security audits?

  • Yes
  • No
  • [Insert text field]

14. Are compliance certificates and audit reports available for review?

  • Yes
  • No
  • [Insert text field]

Network, Application, and Information Security

15. Does the vendor perform regular vulnerability assessments and penetration testing?

  • Yes
  • No
  • [Insert text field]

16. Are there processes in place to patch identified vulnerabilities?

  • Yes
  • No
  • [Insert text field]

17. Does the vendor have real-time networking monitoring to detect unauthorized access or breaches?

  • Yes
  • No
  • [Insert text field]

Fourth-Party or Supply Chain Risk Management

18. Does the vendor assess the security posture of their own third-party providers?

  • Yes
  • No
  • [Insert text field]

Physical Security

19. Are physical access controls in place at the vendor’s facilities?

  • Yes
  • No
  • [Insert text field]

20. Is there surveillance and monitoring to detect unauthorized access?

  • Yes
  • No
  • [Insert text field]

Financial Information

21. Has the vendor complied with all local, state, and federal tax laws without any outstanding tax liens or disputes?

  • Yes
  • No
  • [Insert text field]

22. Has the vendor provided audited financial statements and tax documents?

  • Yes
  • No
  • [Insert text field]

23. Does the vendor have adequate cyber insurance coverage for potential risks related to their business operations?

  • Yes
  • No
  • [Insert text field]

How UpGuard Helps Businesses Conduct Third-Party Vendor Due Diligence

UpGuard helps businesses conduct a complete vendor due diligence process by properly assessing vendors to help avoid irrecoverable mistakes and disruptions. Using UpGuard Vendor Risk, UpGuard helps businesses manage their end-to-end vendor risk assessment process using our in-house team of world-class third-party risk analysts.

The entire vendor due diligence and risk assessment process is streamlined and automated in the UpGuard platform throughout the entire vendor lifecycle — all in one centralized dashboard. Some of the main features of UpGuard Vendor Risk include:

  • Your organization can generate high-level executive reports that are detailed and comprehensive about each vendor.
  • Businesses can instantly view a vendor’s security posture using our industry-leading security ratings system that dynamically updates over time
  • Security questionnaires are risk-mapped to leading, popular security standards (such as NIST, SIG, or ISO 27001).
  • Vendors are continuously monitored with real-time alerts on any potential risk exposures.

Ready to see
UpGuard in action?