Is security due diligence performed before contracting (not as an afterthought)?
Demonstrate that the organization conducts formal security assessments of third parties prior to contract execution, with documented evidence of security evaluation informing contract terms and vendor selection decisions.
Description
What this control does
Security due diligence is a structured evaluation process conducted during vendor selection and contract negotiation, before legal commitment, to assess third-party security posture, compliance status, regulatory alignment, and risk exposure. This process includes reviewing security questionnaires, certifications (SOC 2, ISO 27001), penetration test results, incident history, data handling practices, and subprocessor relationships. Performing this assessment before contract signature enables negotiation of security requirements, service level agreements for security incidents, right-to-audit clauses, and data protection obligations, rather than discovering gaps post-execution when remediation leverage is minimal.
Control objective
What auditing this proves
Demonstrate that the organization conducts formal security assessments of third parties prior to contract execution, with documented evidence of security evaluation informing contract terms and vendor selection decisions.
Associated risks
Risks this control addresses
- Contracting with vendors possessing inadequate security controls, creating unmitigated supply chain vulnerabilities and unauthorized access pathways to organizational data
- Legal commitment to services that cannot meet regulatory requirements (GDPR, HIPAA, PCI-DSS) discovered after contract lock-in, triggering compliance violations
- Inability to negotiate security requirements, audit rights, breach notification timelines, or liability terms after contract signature reduces organizational leverage
- Vendor incident history or poor security maturity discovered post-engagement leading to costly mid-contract termination and service migration
- Subprocessor and fourth-party risk exposure unknown until after data sharing commences, violating data sovereignty or residency requirements
- Budget allocated to vendors lacking required certifications or controls, necessitating expensive compensating controls or contract renegotiation
- Procurement timelines compressed by treating security as approval gate rather than selection criterion, forcing acceptance of high-risk vendors
Testing procedure
How an auditor verifies this control
- Obtain the organization's vendor risk management or third-party security assessment policy to identify the documented due diligence process and triggers.
- Select a sample of 10-15 vendor contracts executed within the audit period, stratifying by risk tier (critical/high data access, moderate, low).
- For each sampled contract, request pre-contract security assessment documentation including completed questionnaires, scorecard evaluations, or risk assessment reports.
- Verify timestamps on security assessments precede contract signature dates by reviewing document metadata, email correspondence, and procurement system records.
- Review security assessment content for evidence of evaluation depth: certification verification, control gap identification, data flow analysis, and subprocessor review.
- Examine contract documents to confirm security findings influenced negotiated terms such as security schedules, SLAs, audit rights, insurance requirements, or data protection addendums.
- Interview procurement and security team members to validate the integration of security assessments into vendor selection scoring and approval workflows.
- Identify any contracts executed without documented pre-signature security due diligence and determine if exceptions followed documented waiver or risk acceptance procedures.