Due Diligence (DD) reports are a critical component of assessing a supplier's cybersecurity posture before engaging in business relationships. These reports help organisations identify and mitigate risks associated with third-party suppliers by evaluating their cybersecurity practices, compliance with industry standards, history of incidents, and overall security reputation.
This knowledge base article serves two primary audiences:
Clients – To help them understand what a Due Diligence report entails and how it informs decision-making.
Analysts – To provide clear guidance on conducting these assessments effectively and consistently.
Purpose of a Due Diligence Report
A DD report evaluates a supplier’s cybersecurity maturity by analysing publicly available data, open-source intelligence (OSINT), and other accessible security indicators. The objective is to determine whether a supplier presents a cybersecurity risk to an organisation and, if so, to what degree.
The findings in a DD report are summarised into a risk grade (A to F) to provide a high-level risk assessment. The grading system ensures that stakeholders can quickly understand the cybersecurity standing of a potential supplier.
Structure of a Due Diligence Report
A standard DD report consists of the following sections:
1. Executive Summary
The Executive Summary provides an overview of the supplier's cybersecurity posture, highlighting key findings, major risks, and an overall risk rating (A to F).
Risk Ratings:
Grade A – Minimal Risk: Strong cybersecurity posture, compliance with industry standards, no reported breaches.
Grade B – Low Risk: Mostly robust, minor vulnerabilities or past incidents, adheres to standards.
Grade C – Moderate Risk: Basic cybersecurity measures in place, some security gaps.
Grade D – Elevated Risk: Significant security weaknesses, past breaches, compliance gaps.
Grade E – High Risk: Poor security infrastructure, critical vulnerabilities, history of major breaches.
Grade F – Critical Risk: Extremely weak cybersecurity, non-compliant, significant security failures.
2. Cybersecurity Posture Overview
This section assesses whether the supplier has publicly available cybersecurity policies, trust indicators, and security certifications.
Policy Availability: Are cybersecurity policies published?
Industry Standard Compliance: Does the supplier claim to follow recognised frameworks like ISO 27001, NIST, or SOC 2?
3. Data Protection and Privacy Compliance
Evaluates the supplier’s compliance with relevant data protection laws such as GDPR and CCPA. This includes:
Privacy policy assessment.
Confirmation of regulatory compliance claims.
4. Cybersecurity Incident History
Investigates any publicly reported cybersecurity incidents:
Historical Data Breaches: Have they been breached before?
Incident Response: How well do they handle incidents? Do they disclose them transparently?
5. Vulnerability Exposure
Examines the supplier’s history of known vulnerabilities, including:
Publicly disclosed security flaws.
Findings from independent security assessments.
6. Cybersecurity Technologies and Practices
Analyses the supplier’s security controls and best practices:
Use of firewalls, intrusion detection systems, encryption, and access controls.
Implementation of multi-factor authentication and identity management.
Availability of security awareness training programs.
7. Reputation in the Cybersecurity Community
Evaluates the supplier’s reputation based on:
Media coverage of security-related events.
Discussions on cybersecurity forums and social media.
8. Third-Party Trust Indicators
Assesses certifications, security seals, and endorsements from third-party organisations that validate the supplier’s security posture.
Due Diligence Scoring System
The Due Diligence Scoring system is used to objectively rate suppliers by assigning weighted scores to different cybersecurity aspects.
Each section of the report contributes a specific weighted score based on its importance. The overall cybersecurity risk score is calculated by evaluating:
The supplier’s adherence to cybersecurity standards.
The presence (or absence) of security controls.
The history of data breaches and vulnerabilities.
For example, an organisation with robust cybersecurity policies, industry certifications, and no history of breaches will score higher (i.e., lower risk), while one with a poor track record and weak policies will score lower (i.e., higher risk).
Example Scoring Breakdown:
Category | Score | Weighting | Contribution to Final Grade |
|---|---|---|---|
Publicly Available Cybersecurity Policies | 3 | 0.15 | 0.45 |
Data Protection and Privacy Compliance | 3 | 0.60 | 1.80 |
Cybersecurity Incident History | 5 | 1.50 | 7.50 |
Vulnerability Exposure | 2 | 0.50 | 1.00 |
Cybersecurity Technologies and Practices | 2 | 0.30 | 0.60 |
The final score determines the risk grade (A-F) assigned in the Executive Summary.
Guidance for Analysts
Step-by-Step Process for Conducting a Due Diligence Report
Gather Open-Source Intelligence (OSINT): Collect all publicly available data on the supplier’s security posture.
Check for Compliance and Certifications: Verify claims of compliance with recognised security frameworks.
Analyse Past Breaches and Incidents: Review historical data to identify potential risks.
Assess Security Policies and Controls: Evaluate published cybersecurity documentation.
Evaluate Third-Party Assessments: Look for independent security reviews of the supplier.
Assign a Risk Rating: Calculate the final score and assign an A-F risk grade.
Draft and Review the Report: Ensure accuracy and consistency before finalising.
Best Practices for Analysts
Maintain consistency in scoring across all reports.
Ensure findings are evidence-based rather than speculative.
Use clear and concise language to make reports understandable for clients.
Validate claims using multiple independent sources.
Prioritise actionable insights—highlight areas of concern and recommend mitigation measures.
Client Expectations: How to Use a Due Diligence Report
Clients should use DD reports to:
Assess the cybersecurity risks associated with potential suppliers.
Determine if additional risk mitigation measures are required.
Make informed decisions about whether to proceed with vendor onboarding.
Strengthen their third-party risk management strategy.
If a supplier is rated Grade C or lower, clients should consider additional due diligence, requesting further information or conducting a more in-depth security assessment.
Conclusion
Due Diligence reports provide a structured and systematic approach to evaluating a supplier’s cybersecurity posture. By leveraging a standardised scoring system and clear risk grading, these reports help organisations make informed decisions when selecting third-party vendors.
For analysts, following a consistent methodology ensures reliable and objective assessments, strengthening the credibility of the DD process. For clients, these reports serve as a crucial risk management tool, ensuring that business relationships are established with security-conscious partners.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article