Why vendor due diligence matters
Poor vendor choices create operational, reputational, and regulatory risk. A breach at a supplier can expose your data; a contract without clear liability or breach notification can leave you exposed. A structured checklist helps procurement and IT align before signing—and gives you evidence for auditors and insurers.
What to assess before you commit
Security and compliance — Certifications (e.g. ISO 27001, Cyber Essentials, SOC 2); data handling and breach notification obligations; where data is stored and processed. Ask for evidence (certificates, policies); don't rely on marketing claims.
Availability and SLAs — Uptime commitments, penalty clauses, and how incidents are communicated. What happens if they have an outage? Who do you call?
Data location and sovereignty — Where data is stored and processed; exit and portability rights. Can you get your data back? How long does exit take?
Commercial — Contract length, price escalation, termination for cause, and liability caps. What are your rights if they breach or go under?
What to ask key suppliers
- Do they hold Cyber Essentials, ISO 27001, or equivalent? When was it last reviewed?
- Where is our data processed and stored? What are their breach notification obligations?
- Who has access to our systems or data? How is access reviewed and revoked?
- Have they had a material security incident? How was it handled and communicated?
How to document due diligence
Keep a register of key suppliers: name, scope, security posture (certification, last assessment), contract terms (expiry, liability, breach notification), and next review date. Tie to contract terms (e.g. right to audit, liability, breach notification). Update at least annually.
Red flags
No certification or "we're working on it" with no timeline; vague or absent breach notification terms; data stored in jurisdictions you cannot accept; liability cap so low it does not cover your exposure.
Review your vendor strategy with our team—we help clients evaluate and manage key IT suppliers. Or run a Vendor Security Check on a supplier's domain.