This is a lot harder than you may think to actually do. In some cases, you will simply have to identify the risks and accept them. Take Microsoft for example, everyone uses them but how many have asked them to do a Supplier Due Diligence Questionnaire!!
Introduction
Most organisations rely heavily on third-party software providers to power their operations. Whether it’s for communication, data storage, productivity, customer relationship management, or cybersecurity – third-party vendors are deeply embedded in business ecosystems. But with this reliance comes a crucial responsibility: ensuring those suppliers are trustworthy, secure, and compliant.
Enter supplier due diligence – a foundational process that enables organisations to evaluate the risks and benefits of engaging with software vendors. It is no longer a “nice-to-have” but a critical business requirement.
In this article, we will break down the purpose and process of conducting software supplier due diligence, discuss key areas to assess, provide examples of what can go wrong without it, and finally introduce a downloadable due diligence questionnaire designed to help you streamline your approach.
Why Software Supplier Due Diligence Matters
Every software product you use connects your systems to external environments. While this can enhance productivity and innovation, it can also introduce vulnerabilities and compliance risks. Here’s why due diligence is so critical:
1. Risk Reduction
When you engage with a third-party software vendor, you’re trusting them with sensitive data, system integrations, and even elements of your operational continuity. Without knowing their internal practices, you’re effectively outsourcing risk without control.
Key risks include:
- Data breaches
- Non-compliance fines (e.g., GDPR)
- Unplanned outages or downtime
- Poor support or unscalable solutions
- Hidden costs or vendor lock-in
2. Regulatory Compliance
Under frameworks such as GDPR, ISO 27001, HIPAA, and PCI DSS, organisations are expected to ensure third parties meet minimum security and data protection standards. Failing to vet a vendor could lead to non-compliance and potential penalties.
For example:
- Under GDPR, Article 28 requires data controllers to verify that processors implement appropriate safeguards.
- ISO 27001 Annex A.15 requires controls for supplier relationships, including information security policies and agreements.
3. Operational Resilience
A software vendor’s failure to deliver consistent uptime, support, or timely patches can grind your operations to a halt. Conducting due diligence helps assess whether a vendor’s business continuity and disaster recovery plans are fit for purpose.
Real-World Consequences of Inadequate Due Diligence
Let’s explore a few documented failures where a lack of software supplier due diligence led to severe business consequences.
Case Study 1: SolarWinds Supply Chain Attack
In 2020, hackers compromised the Orion software platform from SolarWinds – a trusted IT monitoring supplier. The attackers inserted malicious code into a software update, affecting over 18,000 organisations, including government agencies and Fortune 500 companies.
Due diligence takeaway: Vetting software update processes and code integrity mechanisms is essential when selecting a software vendor.
Case Study 2: Facebook-Cambridge Analytica Scandal
While not a traditional vendor scenario, Facebook’s sharing of data with third-party applications without strong oversight led to massive data misuse and public backlash. It underscored the importance of tracking data flows and third-party processing.
Due diligence takeaway: Understand how third parties handle, share, and process your customer data.
Case Study 3: Trustwave Managed Security Incident
Trustwave, a respected MSSP, suffered reputational damage after one of their solutions allegedly contributed to a security breach at Heartland Payment Systems. Though details remain debated, it highlights the scrutiny vendors face after breaches.
Due diligence takeaway: Review and document vendor liability, insurance coverage, and incident response commitments.
Key Areas to Evaluate in Software Supplier Due Diligence
Your due diligence process should span multiple dimensions to gain a comprehensive understanding of a software supplier’s capabilities, risks, and alignment with your organisational requirements.
Here are the ten critical categories covered in our due diligence questionnaire:
1. Company Profile
- Is the vendor financially stable?
- How long have they been in business?
- Do they have a proven client base and industry experience?
2. Product Information
- Is the software still actively developed and supported?
- Is it delivered as SaaS, on-premises, or hybrid?
- What are the integration options?
3. Security & Data Protection
- Are data encrypted in transit and at rest?
- Does the vendor use secure coding practices and regular penetration testing?
- What’s the process in the event of a data breach?
4. Compliance & Certifications
- Are they ISO 27001 or SOC 2 certified?
- Do they comply with GDPR, HIPAA, or other local laws?
- Do they engage in independent audits?
5. Data Handling & Privacy
- What data is collected and stored?
- Where is the data physically located (e.g., UK, EU, US)?
- Are sub-processors used, and are they disclosed?
6. Business Continuity & Disaster Recovery
- Is there a documented and tested DRP/BCP?
- What is the RTO (Recovery Time Objective) and RPO (Recovery Point Objective)?
- What was their uptime over the past year?
7. Financial & Legal Standing
- Are there any pending legal cases?
- Do they carry professional and cyber liability insurance?
- Can they demonstrate financial stability?
8. Service Management
- Is there an SLA in place?
- What does their support model look like?
- What are typical response and resolution times?
9. Change Management
- How are changes and updates handled?
- Is there a public roadmap?
- Are sandbox/test environments available?
10. Exit Strategy
- How can clients retrieve their data?
- What is the offboarding process?
- Are data securely deleted post-termination?
The Role of Procurement and Security Teams
Vendor due diligence shouldn’t sit solely with the IT or procurement team. It must be a cross-functional initiative involving:
- Procurement: To assess cost, value, and licensing structures.
- Legal: To review contracts, liability, and jurisdiction.
- IT/Security: To validate technical security controls.
- Compliance: To map vendor practices to relevant regulatory standards.
- Business Stakeholders: To ensure alignment with functional requirements.
This collaborative approach reduces blind spots and ensures all risk categories are considered.
How Often Should You Reassess Vendors?
Initial vetting is just the beginning. A formal vendor risk management lifecycle should include:
- Initial onboarding assessment
- Annual re-assessments
- Reassessments after major product updates
- Post-incident reviews (if a breach or issue occurs)
Vendors change, and so does risk. Make reassessment part of your ongoing compliance framework.
What Happens If a Vendor Fails the Assessment?
A vendor not meeting your standards doesn’t mean automatic rejection. Instead:
- Offer a remediation plan with timelines.
- Require additional safeguards, like encryption, audits, or contract clauses.
- Consider risk transfer options, like insurance or indemnities.
The goal is to reduce and document the risk, not necessarily eliminate every imperfection.
Making Due Diligence Part of Your Business Culture
Due diligence shouldn’t be a one-off exercise. To truly strengthen your risk posture:
- Embed supplier assessments into procurement policies.
- Educate internal teams on why supplier risk matters.
- Track vendor responses in a central system.
- Automate reminders for reviews and reassessments.
- Align due diligence with your organisation’s risk appetite.
Due diligence is not about paranoia – it’s about resilience. The time you spend upfront can save months of chaos and millions in cost later.
Final Thoughts
In an age where digital transformation is accelerating and software-as-a-service adoption is widespread, third-party software vendors are extensions of your infrastructure – for better or worse.
Don’t wait for an incident to ask the right questions.
The strength of your organisation’s security and compliance posture depends not just on your internal policies – but on every third-party link in the chain.