Due care vs. due diligence: What you need to know for the CISSP exam
Due care and due diligence are two terms that are not interchangeable but are equally important to be mindful of while preparing for the CISSP exam. Due care involves taking steps to avoid negative outcomes. On the other hand, due diligence focuses on performing in-depth research to understand the ins and outs of a solution or deal before committing to it.
For instance, anyone wanting to take out a mortgage will take the time to make sure it’s going to help, not harm, their financial future. That’s due care. Due diligence is all about ensuring you fully understand the terms of your contract, the legal ramifications of signing, zoning issues you might face if building or renovating and other important minutiae before signing.
How, then, do these terms apply to the world of information security? Why are they so vital to this growing field? CISSP certification holders are expected to know this as part of domain 1 of the CISSP exam, Security and Risk Management.
For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate.
Earn your CISSP, guaranteed!
Due care: “Looking before you leap”
In cybersecurity, due care involves avoiding negative consequences from regulatory requirements, attackers and insider threats. This often involves making a difficult decision: You can wait for regulators to introduce security standards or take a more proactive approach. Countless organizations and agencies have waited until the government has stepped in — or until their security has been compromised — before taking appropriate measures to ensure their security has improved.
While this has been effective for some, using due care to effectively prevent incidents typically involves being proactive instead of merely reacting to changing conditions or requirements.
This involves creating a security-focused culture across all levels of your organization. This both protects the organization’s brand and its digital infrastructure. The notion that your organization is weak on cybersecurity can be tough to reverse and may involve costly public relations campaigns. Even then, it cannot be easy to regain the desired perception in the eyes of current and future clients.
Due care also involves recognizing that there is such a thing as bad public relations. This means you have to carefully design your communications strategy — whether or not you’re dealing with a breach — in a way that minimizes negative public perception. For example, you wouldn’t want to publicize security weaknesses until you’re either forced to due to a breach or you’ve already remedied them.
In terms of your network infrastructure, due care involves taking steps to safeguard your digital assets. For example, you can create security policies that require role-based access controls across your organization.
Due care would also be the driving force behind designing employee awareness trainings. You prevent issues by making sure employees understand the nature of threats the organization faces and know what to do if they suspect an issue.
Setting up an automated backup mechanism would also be an act of due care. You’re proactively taking steps to mitigate the effects of a breach by backing up your important apps and operational data.
In the event a regulation or law necessitates due care, you absolutely must abide by that standard. Otherwise, you risk being accused of the direct opposite of due care: negligence.
Due diligence: Understanding is just the beginning
Due diligence involves understanding the ins and outs of your information security policies, procedures and systems. To truly demonstrate due diligence, businesses have to focus a narrow lens on their information security and be mindful of global laws and regulations that may impact their operations.
A common example of due diligence in cybersecurity is performing a comprehensive analysis of the security risks a third party may introduce before allowing them access to any of your digital assets. The due diligence process would involve issuing surveys, double-checking the company’s answers, and interviewing members of its IT team to understand how they protect their networks and which steps they would take to safeguard yours during the partnership.
The same due diligence principles apply to outsourcing cybersecurity services. For example, suppose you choose to hire a managed services provider to handle threat monitoring and deal with compliance issues. Performing due diligence would involve investigating their threat monitoring technology and their operational workflow before and after they detect a threat. You would also need to examine the structures they have in place to ensure compliance with GDPR, HIPAA and other applicable regulations.
Your quality assurance process should also involve a due diligence framework. In this way, an organization can reduce its potential for risk across the IT spectrum. Quality assurance can also result in significant long-term savings. As an organization improves its information security processes, it reduces costs associated with inefficiency and mitigates the effects of incidents.
Put simply, the opposite of due diligence would be “not doing your homework” or simply haphazardly approaching your work. Examples of this, as far as the CISSP goes, would include not examining the framework terms and scope of pentesting prior to engaging in the test. Or, if you authorized the test without ensuring you have the proper authorization, that would also represent a failure to perform due diligence.
Not following due diligence practices could lead to your dismissal from a contract or even legal trouble because you were deemed negligent from a regulatory standpoint.
Earn your CISSP, guaranteed!
Conclusion
The bottom line is there should be communication across all departments in any organization — including the board of directors and management — regarding both the due care and due diligence the company needs to implement. Should that not happen, there could be serious repercussions: loss of valuable information and the potential loss of clients. Management and boards should be aware of the policies and procedures involving due care and diligence to prevent breaches and unnecessary exposure to risk.
Due care and due diligence are just one facet of the CISSP exam. To learn more about the test, you can refer to our free CISSP exam tips and tricks ebook. Our CISSP training hub also provides important information about the test and how to prepare for it.
If you’re considering a career shift to cybersecurity, check out our Cybersecurity salary guide and Cybersecurity certifications and skills ebooks. These provide valuable information you can use to decide which areas of cybersecurity to pursue and what you can expect to earn.
In this Series
- Due care vs. due diligence: What you need to know for the CISSP exam
- CISSP domains overview: Your complete preparation guide
- What is the ISC2 ISSMP (Information Systems Security Management Professional) certification?
- What is the ISC2 ISSEP (Information Systems Security Engineering Professional) certification?
- What is the ISC2 ISSAP (Information Systems Security Architecture Professional) certification?
- CISSP experience waiver: What you need to know
- CISSP concentrations: How ISSAP, ISSMP & ISSEP have changed
- Mitigating access control attacks in the CISSP exam
- CISSP DoD 8140: What changed from DoD 8570?
- CISSP jobs in 2025: Cybersecurity manager outlook and career opportunities
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring
- CISSP interview prep: 10 common questions and answers
- CISSP resources: Free books, videos, practice exams and other study tools
- CISSP certification cost and requirements (2025): Your complete preparation guide
- Perimeter defenses: What you need to know for the CISSP exam
- Understanding control frameworks and the CISSP
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- The ISC2 code of ethics: A binding requirement for certification
- Security governance principles: What you need to know for the CISSP exam
- Understanding access control: A CISSP certification guide
- Renewal requirements for the CISSP certification
- Secure communication channels: What you need to know for the CISSP exam
- Risk management concepts and the CISSP
- CISSP: Business continuity planning and exercises
- Data and system ownership in the CISSP exam
- Information and asset classification in the CISSP exam
- Incident management and the CISSP exam: What you need to know
- CISSP prep: Security policies, standards, procedures and guidelines
- Earning CPE credits to maintain the CISSP
- Data security controls and the CISSP exam
- CISSP: Disaster recovery processes and plans
- Vulnerability and patch management in the CISSP exam
- Secure system design principles: CISSP exam concepts and frameworks
- Certification and accreditation: What’s on the CISSP exam?
- Change management and the CISSP
- Threat modeling and the CISSP
- CISSP exam questions: 5 drag & drop and hotspot questions
- CISSP certification salary: A comprehensive 2025 salary guide
- 8 tips for CISSP exam success in 2025
- Environmental controls and the CISSP
