Due care and due diligence are two fundamental concepts in information security governance and are frequently tested in the CISSP examination. Although the terms are closely related, they represent two different stages of the risk management process. Simply put, due diligence is about researching and understanding risks before taking action, whereas due care is about implementing the appropriate security measures to address those risks. An effective information security program requires both concepts to protect organizational assets and demonstrate responsible security management.
Due diligence refers to the process of investigating, analyzing, and understanding potential risks before making security decisions or implementing controls. It is the planning and research phase of information security, during which security professionals identify threats, assess vulnerabilities, evaluate business impacts, and determine the most appropriate security controls for the organization. Due diligence includes conducting risk assessments, reviewing regulatory and compliance requirements, evaluating third-party vendors, performing security audits, assessing emerging cyber threats, and understanding the organization's security requirements. The objective is to gather sufficient information so that security decisions are based on careful analysis rather than assumptions. A simple way to remember due diligence is "Think before you act."
For example, before selecting a cloud service provider, an organization performs due diligence by evaluating the provider's security certifications, reviewing audit reports, assessing compliance with standards such as ISO/IEC 27001, examining data protection practices, and identifying potential risks associated with storing organizational data in the cloud. Similarly, before implementing controls to meet regulatory requirements such as PCI DSS or other compliance frameworks, security professionals first study the applicable standards to understand the required security controls and compliance obligations.
Due care, on the other hand, refers to the practical implementation of the security measures identified during the due diligence process. Once risks have been analyzed and appropriate controls have been selected, organizations must take action to protect their information assets. Due care involves deploying firewalls, implementing encryption, enforcing password policies, configuring access controls, applying software patches, conducting employee security awareness training, performing regular backups, monitoring security events, and implementing all other safeguards necessary to reduce risks to acceptable levels. A simple way to remember due care is "Do the right thing." It represents the execution phase of information security where planned security measures are put into operation.
The relationship between due diligence and due care is straightforward. Due diligence identifies what should be done, while due care ensures it is actually done. An organization that performs only due diligence but never implements security controls remains vulnerable because identifying risks without taking corrective action provides no protection. Likewise, implementing security controls without conducting due diligence may result in ineffective or unnecessary safeguards because decisions were made without understanding the organization's actual risks. Therefore, both due diligence and due care must work together as part of an effective security governance and risk management program.
These concepts are particularly important from both legal and regulatory perspectives. Following a cybersecurity incident, organizations may be required to demonstrate that they exercised reasonable care in protecting sensitive information. Courts, regulators, auditors, insurance providers, and compliance bodies often examine whether the organization performed appropriate due diligence by identifying and assessing risks and whether it exercised due care by implementing reasonable security controls to mitigate those risks. Organizations that fail to perform either due diligence or due care may face legal liability, regulatory penalties, financial losses, or reputational damage.
For example, suppose an organization stores customer payment information. During its risk assessment, security professionals determine that encrypting sensitive customer data is necessary to reduce the risk of unauthorized disclosure. This assessment represents due diligence because the organization researched the risks and identified the appropriate control. The organization then implements strong encryption, restricts access to the encrypted data, monitors security logs, and trains employees on data protection procedures. These actions represent due care because the organization has implemented the recommended security measures. If a data breach later occurs despite these reasonable precautions, the organization can demonstrate that it exercised both due diligence and due care, which may significantly reduce legal liability because it acted responsibly according to accepted industry practices.
From a CISSP perspective, organizations are not expected to eliminate every possible risk because achieving 100% security is impossible. Instead, security professionals are expected to identify risks through due diligence and implement appropriate safeguards through due care to reduce those risks to an acceptable level. The CISSP mindset emphasizes that security decisions should always be based on sound risk management principles supported by both thorough analysis and responsible implementation.
A useful way to distinguish these concepts is to remember that due diligence means researching, investigating, planning, and understanding risks before making decisions, while due care means implementing, maintaining, and enforcing the security controls necessary to protect organizational assets. Together, they demonstrate that an organization has acted responsibly, followed industry best practices, and exercised reasonable care in protecting its information systems, making them essential principles of information security governance and CISSP exam preparation.
