Learn how to assess third-party risk with our practical, four-step approach to supplier due diligence.
This guide covers key steps including security checklists, supplier questionnaires, written agreements, and ongoing reviews to help ensure your vendors meet your organisation’s security and compliance requirements.
Third-party due diligence is simply the process of evaluating the third parties you work with—like your suppliers and service providers—to ensure they meet your internal standards for security and compliance.
As a business, you likely invest a lot of resources and work hard to secure your operations and the data you hold. You may already have security controls and policies in place (such as 12-character passwords, multi-factor authentication (MFA), the principle of least privilege access, and encryption at rest). But when you engage third parties and share access to your data and systems, there’s potential that their security practices don’t align with yours. A weakness in their controls can introduce additional risks to your organisation, like data breaches, unauthorised access and non-compliance.
Even small and medium sized enterprises (SMEs), especially those who outsource their IT, must implement due diligence measures to ensure their vendors or other third-party relationships don’t compromise their security or compliance posture.
Here are four practical steps to implement effective third-party due diligence into your business.
Before onboarding a new third party or Software as a Service (SaaS) solution (like a CRM system or marketing automation tool), create a checklist to define what you need from them and to evaluate their security posture. Certifications like Cyber Essentials can provide you with useful assurance that they have specific controls and a minimum standardised baseline of security in place.
Your checklist can be used in the early stages of evaluation, like when reviewing a potential supplier’s website or trialling a new piece of software.
For new suppliers and partners:
For new software and systems:
Before onboarding a new third party or solution, it’s important to ask the right questions to understand the level of risk they could introduce to your organisation. A structured questionnaire can help you gather the information you need to check they meet your security and compliance requirements.
This questionnaire should go beyond your initial checklist, allowing you to explore your third party’s security practices in more detail. While a potential vendor might have certifications like ISO 27001 in place, this doesn’t confirm their specific policies and controls.
By completing a more detailed questionnaire, you can remove all ambiguity and gain the assurance you need to understand how third parties manage their security, and whether this aligns with your own requirements.
A solid written agreement keeps your third parties accountable. Create standard security clauses across all your agreements and contracts which clearly define your expectations around security.
Even with your Managed Service Provider (MSP) or outsourced IT team, don’t assume they follow the same security procedures!
It’s up to your organisation to define what is satisfactory evidence that verifies your third parties are following your policies and requirements. This could include screenshots or documentation, allowing them to submit their own independent audit report, or some may allow you to perform an audit against their business if needed.
Third-party due diligence shouldn’t stop once a new vendor or partner has been onboarded. Organisations should review their third parties regularly to ensure they continue to meet agreed security standards.
How frequently you conduct these checks depends on the level of risk they present to your organisation. Suppliers who have access to your sensitive data, for example, might be considered higher risk.
Lots of certifications and frameworks (like Cyber Essentials, PCI DSS and ISO 27001) have annual renewal cycles so it’s important to verify that they’re still valid and up-to-date. If there’s a gap between renewals, question this with the vendor – sometimes there are legitimate reasons for delays, but having visibility of these situations is critical so you can manage the risks.
When you engage third parties, you’re extending your security ‘perimeter’ beyond your direct control. Ultimately, though, you’re still accountable for making sure that the perimeter is secure. That means making sure that the organisations you work with meet your security standards and requirements.
These practices should be used by organisations of all sizes; they aren’t just reserved for large enterprises. Even small and micro businesses should have oversight and agreements in place with all third parties to formalise expectations.
Implementing this structured approach to third-party due diligence will help you protect your systems and data, and by extension, your clients and brand. It will give you peace of mind that the organisations you choose to work with can support the integrity of your business operations.
If you're ready to secure your extended perimeter, let’s discuss how we can support you—whether you need a gap analysis for a specific certification or framework (e.g., Cyber Essentials, ISO 27001, PCI DSS) or a supplier security framework, our expert Information Assurance team are here to help. Let’s talk.
The NCSC’s Cyber Essentials scheme is getting a substantial update in April 2026. Of course, the core principles will remain the same, but there are some practical elements that will change the reality of achieving or renewing your Cyber Essentials Plus certification.
With the continued rise in cyber attacks—particularly those targeting supply chains—there’s been growing pressure within the industry for organisations to demonstrate information security to clients, partners and regulators.
When non-technical teams have very little to do with IT and cybersecurity, engaging them with ISO 27001 compliance can be…challenging.
