Vendor Due Diligence Checklist
CisoDeck provides structured vendor due diligence checklists that evaluate security posture, compliance status, and operational reliability before your clients onboard new vendors. Score responses, collect supporting documents, and generate recommendations -- all from a multi-client vCISO dashboard.
Key takeaways
- Pre-built checklist covering security, compliance, financial & operational criteria
- Customizable scoring rubrics by vendor category and client requirements
- Document collection and approval workflow built in
- White-label due diligence reports for client stakeholders
- Plans from $49/mo with EU data residency and 14-day free trial
Why is vendor due diligence essential for your clients?
Every vendor your client onboards expands their attack surface. A vendor with weak security practices becomes a direct path to your client's data. Due diligence is the gate that prevents high-risk vendors from entering the environment. For regulated industries and organizations pursuing SOC 2 or ISO 27001, vendor due diligence is not optional -- it is a control requirement.
What does the due diligence checklist evaluate?
Security Controls
Encryption standards, access management, vulnerability management, and penetration testing practices.
Compliance Certifications
SOC 2 reports, ISO 27001 certificates, GDPR compliance status, and industry-specific certifications.
Data Handling
Data classification, storage locations, retention policies, backup procedures, and deletion capabilities.
Incident Response
Incident detection capabilities, notification procedures, response SLAs, and breach history.
Business Continuity
Disaster recovery plans, RTO/RPO commitments, redundancy architecture, and recent DR test results.
Subprocessor Management
Third-party dependencies, subprocessor oversight, and data flow transparency.
How does the due diligence workflow work?
- 1
Select checklist template
Choose the appropriate template for the vendor category (SaaS, infrastructure, professional services) and customize criteria as needed.
- 2
Evaluate and score
Work through each criterion, score the vendor's responses, and collect supporting documentation (SOC 2 reports, certifications, policies).
- 3
Generate recommendation
CisoDeck calculates an overall risk rating and generates a white-label due diligence report with your approval or conditional approval recommendation.
Frequently asked questions
- What is a vendor due diligence checklist?
- A vendor due diligence checklist is a structured set of evaluation criteria used to assess a vendor's security posture, financial stability, regulatory compliance, and operational reliability before entering into a business relationship. It reduces the risk of onboarding vendors that could expose your client to data breaches, compliance violations, or service disruptions.
- What should a vendor due diligence checklist include?
- A comprehensive checklist covers security certifications (SOC 2, ISO 27001), data handling practices, access controls, encryption standards, business continuity plans, insurance coverage, regulatory compliance status, incident response capabilities, subprocessor management, and financial health indicators.
- How is due diligence different from a risk assessment?
- Due diligence happens before vendor selection -- it determines whether to engage with a vendor at all. A risk assessment is an ongoing process that evaluates and monitors the risks a vendor introduces after onboarding. CisoDeck supports both workflows: due diligence checklists for new vendors and periodic risk assessments for existing ones.
- How often should vendor due diligence be performed?
- Initial due diligence should be completed before contract signing. Renewals should trigger a refresh. For critical vendors, annual due diligence reviews are standard. CisoDeck tracks review dates and sends reminders before they lapse.
- Can I customize the due diligence checklist?
- Yes. CisoDeck provides a best-practice template that you can customize per client or industry. Add, remove, or weight criteria based on the vendor category (SaaS, infrastructure, professional services) and your client's regulatory requirements.
- How does CisoDeck help with vendor due diligence?
- CisoDeck provides structured checklists, scoring rubrics, document collection workflows, and approval chains. You can run due diligence evaluations across all your clients from a single dashboard and generate white-label reports summarizing findings and recommendations.
- What does CisoDeck cost?
- Vendor due diligence is included in all paid plans. Starter is $49/mo (up to 5 clients), Professional is $129/mo (up to 15 clients), and Consultancy is $299/mo (unlimited clients). All plans include a 14-day free trial.