A Full Supplier Due Diligence Questionnaire is a detailed security assessment used to evaluate the cybersecurity, compliance, and risk posture of suppliers who have direct access to internal systems, networks, or sensitive data. This questionnaire ensures that all third-party vendors adhere to robust security standards and mitigate potential security risks.
This article explains when to use a full due diligence questionnaire, the key areas it covers, and the questions that are typically asked.
When to Use a Full Supplier Due Diligence Questionnaire
A full cybersecurity due diligence assessment is required when a supplier has higher levels of access or responsibility, which introduces potential security and compliance risks to an organisation.
Ideal Use Cases
The supplier has direct access to the corporate network, IT systems, or databases.
The supplier processes, stores, or transmits confidential, personal, or regulated data (e.g., PII, financial information, health records).
The supplier provides critical IT or cybersecurity services, including cloud hosting, managed IT, software development, or penetration testing.
The supplier has privileged access to internal infrastructure, such as administrators, DevOps teams, or third-party consultants.
The supplier operates in a highly regulated industry that requires strict compliance (e.g., financial services, healthcare, legal).
In these cases, it is crucial to conduct a thorough security assessment before granting access or finalising contracts.
Key Sections & Questions in a Full Due Diligence Questionnaire
Unlike a lightweight questionnaire, which focuses on fundamental security measures, a full due diligence assessment delves deeper into the supplier’s security governance, compliance status, operational security controls, and incident response capabilities.
1. About the Organisation
Name of the supplier and key contact details.
Description of the services provided.
Physical locations where data processing occurs.
Whether the supplier uses subcontractors or third-party service providers.
2. Security Policy & Organisation
Does the supplier have a documented cybersecurity policy?
Is the organisation accredited to security standards such as ISO 27001, Cyber Essentials Plus, PCI-DSS, or SOC 2?
Is there a dedicated security team responsible for managing cybersecurity risks?
How does management provide security leadership and oversight?
3. Personnel Security
Are background checks (e.g., criminal, financial) conducted before hiring employees?
Are employees required to sign non-disclosure agreements (NDAs)?
Do staff receive mandatory cybersecurity awareness training?
Is there an access control policy to limit employees' access to sensitive data?
4. Data Protection & Privacy Compliance
Does the supplier comply with GDPR, CCPA, or other data protection regulations?
What encryption methods are used to protect data at rest and in transit?
How does the supplier manage data retention and deletion?
Has the supplier experienced a data protection violation or regulatory penalty in the past 24 months?
5. Physical Security
Where are data processing centres and offices located?
What physical security controls are in place (e.g., biometric access, security guards, CCTV monitoring)?
Are visitors and contractors restricted from accessing sensitive areas?
6. Information Disposal & Data Destruction
What procedures are followed for secure data disposal?
How does the organisation ensure that decommissioned IT equipment is securely wiped or destroyed?
Are third-party data destruction providers used, and are they certified?
7. System & IT Security Management
Are firewalls, intrusion detection systems (IDS), and anti-malware tools in place?
How are software updates and security patches managed?
Are administrative privileges restricted and monitored?
Is multi-factor authentication (MFA) enforced for remote and privileged access?
8. Resilience & Business Continuity
Does the supplier have a business continuity and disaster recovery plan?
How frequently are backup and restore processes tested?
How does the supplier ensure resilience against cyber attacks, such as ransomware?
9. Cloud, Platform, and Infrastructure Security
Does the supplier host services in on-premises data centres, public cloud (AWS, Azure, Google Cloud), or hybrid environments?
How is cloud access and identity management controlled?
Are cloud-based systems monitored for security incidents?
10. Application Security
How does the supplier ensure secure software development (e.g., DevSecOps, code reviews, penetration testing)?
Are third-party dependencies and open-source libraries audited for vulnerabilities?
Does the supplier implement secure authentication and session management?
11. Network Security
What network segmentation measures are in place to limit access to sensitive systems?
Are VPNs, firewalls, and intrusion prevention systems (IPS) used?
How does the supplier detect and respond to unauthorised access attempts?
Why a Full Due Diligence Questionnaire is Essential
A comprehensive supplier due diligence questionnaire ensures that any vendor with access to internal systems, sensitive data, or critical infrastructure meets the organisation’s security and compliance requirements.
Key Benefits:
Reduces Cybersecurity Risks – Prevents security weaknesses by ensuring suppliers meet cybersecurity best practices.
Ensures Compliance with Regulations – Validates supplier adherence to legal frameworks such as GDPR, CCPA, ISO 27001, or PCI-DSS.
Identifies Weaknesses in Supplier Security Posture – Helps uncover gaps in incident response, cloud security, and access controls.
Improves Third-Party Risk Management – Provides a standardised process for evaluating and approving vendors.
Facilitates Contract Negotiations – Establishes clear security requirements before finalising supplier agreements.
How to Use a Full Due Diligence Questionnaire
Step-by-Step Process
Determine if a Full Due Diligence is Required
If a supplier has access to critical systems or sensitive data, a full assessment is mandatory.
If they only provide low-risk services, a lightweight questionnaire may be sufficient.
Distribute the Questionnaire
Provide the supplier with clear instructions and a timeline for submission.
Ensure they understand that non-compliance may affect approval.
Review & Validate Responses
Cross-check responses with security certifications, policy documents, and audit reports.
Identify high-risk answers, such as lack of security controls or previous data breaches.
Assess the Supplier’s Security Risk Level
Assign a risk rating (e.g., Low, Moderate, High) based on responses.
Suppliers with unacceptable risks should be required to implement corrective actions.
Approve or Escalate
If security risks are low or mitigated, approve the supplier.
If security risks are high, escalate for further assessment or rejection.
Comparison: Lightweight vs. Full Due Diligence
Assessment Type | Supplier Access to Systems? | Handles Sensitive Data? | Security Review Depth |
|---|---|---|---|
Lightweight Questionnaire | No | No | Basic |
Full Due Diligence | Yes | Yes | Detailed & Comprehensive |
Conclusion
A full supplier due diligence questionnaire is essential for evaluating vendors that handle critical IT systems or sensitive data. It provides a structured, evidence-based approach to assessing supplier security posture, ensuring compliance, and reducing third-party cybersecurity risks.
By following a standardised due diligence process, organisations can make informed decisions about supplier partnerships while protecting their assets from potential security threats.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article