Definition

Due diligence

Due diligence is the systematic investigation and risk assessment process applied to third parties, transactions or processes to make informed decisions.

In ISO standards, due diligence is an explicit requirement of ISO 37001 (anti-bribery) and ISO 37301 (compliance). It involves investigating and evaluating risk associated with partners, suppliers and transactions. Depth must be proportional to identified risk.

Key aspects

Risk proportionality

Investigation depth must be proportional to risk: low risk requires basic checks; high risk demands deep investigation.

Normative requirement

ISO 37001 requires due diligence on partners and personnel with bribery risk. ISO 37301 extends it to all obligations.

Documentation and traceability

Every process must be documented with evidence the assessment was performed and decisions were based on results.

Frequently asked questions

No. Due diligence is a preventive investigation to assess risks before a decision. Audit verifies subsequent compliance.

Mandatory in financial sector (AML), defense, energy, pharmaceutical and companies subject to FCPA or UK Bribery Act.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Due diligence

Key aspects

Risk proportionality

Normative requirement

Documentation and traceability

Frequently asked questions

ISO 27001 vs NIST CSF: cybersecurity frameworks compared

ISO 42001 vs EU AI Act: voluntary standard vs mandatory regulation

How to implement ISO 27001 in your organization

How to implement ISO 42001 for AI management

Shadow AI: artificial intelligence use without formal governance

Failed certification audit: nonconformity diagnosis and recovery plan

Ready to act on these findings?

Due diligence

Key aspects

Risk proportionality

Normative requirement

Documentation and traceability

Frequently asked questions

ISO 27001 vs NIST CSF: cybersecurity frameworks compared

ISO 42001 vs EU AI Act: voluntary standard vs mandatory regulation

How to implement ISO 27001 in your organization

How to implement ISO 42001 for AI management

Shadow AI: artificial intelligence use without formal governance

Failed certification audit: nonconformity diagnosis and recovery plan

Ready to act on these findings?

Due diligence

Key aspects

Risk proportionality

Normative requirement

Documentation and traceability

Frequently asked questions

Related content

ISO 27001 vs NIST CSF: cybersecurity frameworks compared

ISO 42001 vs EU AI Act: voluntary standard vs mandatory regulation

How to implement ISO 27001 in your organization

How to implement ISO 42001 for AI management

Shadow AI: artificial intelligence use without formal governance

Failed certification audit: nonconformity diagnosis and recovery plan

Ready to act on these findings?

Due diligence

Key aspects

Risk proportionality

Normative requirement

Documentation and traceability

Frequently asked questions

Related content

ISO 27001 vs NIST CSF: cybersecurity frameworks compared

ISO 42001 vs EU AI Act: voluntary standard vs mandatory regulation

How to implement ISO 27001 in your organization

How to implement ISO 42001 for AI management

Shadow AI: artificial intelligence use without formal governance

Failed certification audit: nonconformity diagnosis and recovery plan

Ready to act on these findings?