What is Third Party Due Diligence

5 min readLast verified: February 2026By

Third-party due diligence is the systematic evaluation of vendors, suppliers, and business partners to verify their compliance posture, security controls, and operational risk before engagement. It encompasses background checks, control assessments, financial reviews, and ongoing monitoring to ensure third parties meet your organization's risk tolerance and regulatory requirements.

Key takeaways:

  • Required by SOC 2, ISO 27001, GDPR, and sector-specific regulations like HIPAA
  • Includes financial, operational, compliance, and reputational risk assessment
  • Must be risk-based and proportional to the criticality of the third-party relationship
  • Creates defensible audit trails for regulatory examinations
  • Extends beyond initial vetting to continuous monitoring

Third-party relationships introduce many data breaches according to the Ponemon Institute's 2023 study. Yet many organizations still treat vendor vetting as a procurement checkbox rather than a risk management imperative.

Third-party due diligence transforms vendor selection from a transactional process into a strategic risk decision. For GRC analysts and compliance officers, it means building a defensible framework that satisfies multiple regulatory requirements while enabling business velocity.

The challenge: regulations like GDPR Article 28, SOC 2 CC2.2, and ISO 27001 A.15 mandate third-party oversight but provide minimal implementation guidance. Financial services face additional requirements under OCC Bulletin 2013-29 and FFIEC guidance. Healthcare entities must ensure Business Associate Agreements align with HIPAA requirements.

This guide provides the technical foundation for building a third-party due diligence program that satisfies cross-framework requirements while remaining operationally practical.

Core Components of Third-Party Due Diligence

Third-party due diligence consists of five interlocking components:

1. Risk Tiering Classify vendors based on data access, criticality, and regulatory exposure:

  • Critical: Access to regulated data or business-critical functions
  • High: Process sensitive data or support key operations
  • Medium: Limited data access with recovery options
  • Low: No sensitive data, easily replaceable

2. Control Verification Map vendor controls to your compliance requirements:

  • Security certifications (SOC 2, ISO 27001, PCI DSS)
  • Industry-specific attestations (HITRUST for healthcare)
  • Technical assessments (penetration tests, vulnerability scans)
  • Policy and procedure reviews

3. Financial Stability Analysis Assess vendor viability through:

  • Dun & Bradstreet ratings
  • Financial statement review (for critical vendors)
  • Insurance coverage verification
  • Business continuity capabilities

4. Operational Risk Assessment Evaluate service delivery risks:

  • Geographic concentration
  • Subcontractor dependencies
  • Key person risks
  • Technology stack vulnerabilities

5. Continuous Monitoring Post-contract surveillance including:

  • Annual reassessments
  • Breach notification monitoring
  • Financial health tracking
  • Performance metric reviews

Regulatory Requirements Matrix

Different frameworks mandate specific due diligence elements:

Framework Due Diligence Requirements Documentation Needs
SOC 2 (CC2.2) Vendor risk assessment, control evaluation Risk assessments, vendor agreements
ISO 27001 (A.15) Supplier security requirements, monitoring Supplier agreements, review records
GDPR (Art. 28) Processor vetting, contractual safeguards Processing agreements, audit rights
HIPAA Business Associate due diligence BAAs, security assessments
PCI DSS (12.8) Service provider management program Provider lists, annual reviews

Practical Implementation Framework

Phase 1: Inherent Risk Assessment (Days 1-5)

  1. Classify vendor by data access level
  2. Identify applicable regulations
  3. Determine required controls based on classification
  4. Set assessment depth (questionnaire vs. onsite audit)

Phase 2: Control Validation (Days 6-20)

  1. Send risk-appropriate questionnaire
    • Critical vendors: 200+ control questions
    • High risk: 100-150 questions
    • Medium risk: 50-75 questions
    • Low risk: 25 baseline questions
  2. Request evidence:
    • SOC reports or ISO certificates
    • Security testing results
    • Insurance declarations
    • Financial statements (if critical)
  3. Validate responses against evidence
  4. Identify control gaps

Phase 3: Risk Scoring and Decision (Days 21-25)

  1. Score inherent risk vs. residual risk
  2. Document compensating controls
  3. Generate risk decision memorandum
  4. Obtain business approval for residual risk

Phase 4: Contract Integration (Days 26-30)

  1. Include right-to-audit clauses
  2. Define security requirements
  3. Establish breach notification SLAs
  4. Document data protection obligations

Common Due Diligence Failures

Checkbox Mentality Organizations often treat questionnaires as pass/fail rather than risk inputs. A vendor missing certain controls might be acceptable with compensating measures. Document the risk decision, not just the assessment.

Static Assessment Initial due diligence without ongoing monitoring misses emerging risks. The average vendor relationship lasts 3.2 years—risks evolve significantly over that period.

Inconsistent Depth Applying the same 300-question assessment to all vendors wastes resources and delays low-risk engagements. Risk-tier your approach.

Evidence Gaps Accepting questionnaire responses without validation. Critical and high-risk vendors should provide documentary evidence for key controls.

Industry-Specific Considerations

Financial Services OCC 2013-29 requires board-level oversight of third-party risk. Document risk appetite statements and ensure executive review of critical vendor assessments.

Healthcare HIPAA requires Business Associate Agreements before sharing PHI. Due diligence must verify the vendor's HIPAA compliance program, including breach response capabilities.

Government Contractors CMMC and FedRAMP introduce specific certification requirements. Due diligence must verify current certification status and scope.

Technology and Tools

Modern TPRM platforms automate much of the due diligence workflow:

  • Centralized questionnaire management
  • Evidence collection and validation
  • Risk scoring algorithms
  • Continuous monitoring integration
  • Regulatory change tracking

Manual processes average 30 days per vendor assessment. Automated platforms reduce this to 7-10 days while improving consistency.

Building Your Program

Start with these foundational elements:

  1. Risk Tiering Criteria: Define clear, measurable criteria for vendor classification
  2. Standard Questionnaires: Develop risk-based assessment templates
  3. Scoring Methodology: Create consistent risk scoring across assessments
  4. Decision Framework: Document approval authorities and risk acceptance criteria
  5. Monitoring Cadence: Establish reassessment frequencies by risk tier

Remember: third-party due diligence isn't about eliminating vendor relationships—it's about understanding and managing the risks they introduce.

Frequently Asked Questions

How does third-party due diligence differ from vendor risk assessment?

Due diligence is the investigative process conducted before engaging a vendor. Vendor risk assessment is broader, including both initial due diligence and ongoing risk management throughout the relationship.

What's the minimum due diligence required for SOC 2 compliance?

SOC 2 CC2.2 requires assessing vendor risks, implementing controls to manage those risks, and monitoring vendor performance. This typically means security questionnaires, contract reviews, and annual reassessments for in-scope vendors.

How often should we reassess existing vendors?

Risk-based approach: Critical vendors annually, high-risk vendors every 18 months, medium-risk every 2 years, low-risk every 3 years or upon significant change.

Can we rely on SOC 2 reports instead of conducting our own due diligence?

SOC 2 reports provide valuable control assurance but don't replace due diligence. You still need to verify the report covers your use case, assess non-SOC risks (financial, operational), and ensure contractual protections.

What evidence should we collect during due diligence?

Priority evidence includes: security certifications (SOC 2, ISO 27001), penetration test summaries, insurance certificates, financial statements (for critical vendors), and security policies.

How do we handle vendors who won't complete our questionnaires?

Document the refusal as a risk factor. For critical vendors, this may be disqualifying. For lower-risk vendors, consider abbreviated assessments focusing on key controls or relying more heavily on contractual protections.

Frequently Asked Questions

How does third-party due diligence differ from vendor risk assessment?

Due diligence is the investigative process conducted before engaging a vendor. Vendor risk assessment is broader, including both initial due diligence and ongoing risk management throughout the relationship.

What's the minimum due diligence required for SOC 2 compliance?

SOC 2 CC2.2 requires assessing vendor risks, implementing controls to manage those risks, and monitoring vendor performance. This typically means security questionnaires, contract reviews, and annual reassessments for in-scope vendors.

How often should we reassess existing vendors?

Risk-based approach: Critical vendors annually, high-risk vendors every 18 months, medium-risk every 2 years, low-risk every 3 years or upon significant change.

Can we rely on SOC 2 reports instead of conducting our own due diligence?

SOC 2 reports provide valuable control assurance but don't replace due diligence. You still need to verify the report covers your use case, assess non-SOC risks (financial, operational), and ensure contractual protections.

What evidence should we collect during due diligence?

Priority evidence includes: security certifications (SOC 2, ISO 27001), penetration test summaries, insurance certificates, financial statements (for critical vendors), and security policies.

How do we handle vendors who won't complete our questionnaires?

Document the refusal as a risk factor. For critical vendors, this may be disqualifying. For lower-risk vendors, consider abbreviated assessments focusing on key controls or relying more heavily on contractual protections.

Related Resources

Put this knowledge to work

Daydream operationalizes compliance concepts into automated third-party risk workflows.

See the Platform