ENTRY TYPE · framework

Vendor Due Diligence Workflow

Last updated 2026-05-03 Legal Ops

Vendor due diligence is the process of evaluating a third-party vendor’s security, privacy, financial, and compliance posture before signing a contract — and re-evaluating periodically afterward. Co-owned by Legal Ops, Security, IT, and Procurement, it sits between the request to bring in a new vendor and the actual MSA signing. Done well, it’s invisible to the business; done poorly, it becomes a 90-day procurement bottleneck.

The five-stage workflow

Stage	Owner	Output
1. Intake	Business requester	Vendor name, use case, data types, expected ARR
2. Triage	Procurement / Legal Ops	Risk tier (low / medium / high), required diligence depth
3. Diligence collection	Vendor	SIG/CAIQ questionnaire, SOC 2 report, insurance certificates, financial statements
4. Review	Security + Legal + IT	Risk findings, required mitigations, DPA and MSA terms
5. Approval / signing	Department head + Procurement	Signed MSA, vendor enrolled in vendor management cadence

Total cycle time should be 5-15 business days for low-risk vendors, 30-60 days for high-risk vendors. Anything longer is a process failure, not a vendor failure.

Risk tiering

Three or four tiers, based on data access and integration depth:

Low. No personal data, no production-system access, ARR below $25K. Examples: marketing imagery vendor, a one-off design contractor. Diligence: standard MSA, vendor profile.
Medium. Limited personal data (employee names/emails), no production-system access, ARR $25K-$250K. Examples: project management tool, scheduling software. Diligence: SIG-Lite questionnaire, current SOC 2.
High. Substantial personal data or production-system access, ARR $250K+. Examples: CRM, customer support platform, AI vendors processing customer interactions. Diligence: full SIG, SOC 2 + penetration test, DPA, insurance verification, financial check.
Critical. Critical infrastructure, regulated-data access, single points of failure. Examples: cloud infra primary provider, payment processor, EHR for healthcare. Diligence: full SIG plus on-site audit, business continuity plan, escrow arrangement, executive sponsor.

Misclassified-down vendors are the source of most material vendor risk events. Default to the higher tier when in doubt.

What’s in a SIG / CAIQ

The Standardized Information Gathering (SIG) questionnaire and the Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ) are the two dominant vendor security questionnaires. SIG is broader (covers operational, regulatory, business-continuity dimensions); CAIQ is narrower and cloud-focused.

A typical SIG-Lite is 100-200 questions covering:

Information security policies and governance
Access control and identity management
Encryption (in transit, at rest)
Incident response and breach notification
Business continuity and disaster recovery
Subprocessor management
Personnel security (background checks, training)
Application security (SDLC, dependency management)
Physical security (data center, office)
Compliance attestations (SOC 2, ISO 27001, HIPAA, PCI as applicable)

Mature vendors maintain pre-completed SIG/CAIQ responses on request, dramatically reducing diligence cycle time.

How to operationalize

Centralized intake portal. Every vendor request goes through one form, not direct contact between business and vendor. Form captures the data needed for triage.
Auto-tier on intake. Decision-tree logic routes low/medium/high based on data type, ARR, and integration depth. Spot-check 10% of low-tier classifications quarterly.
Vendor portal for diligence collection. Vendor uploads SIG, SOC 2, insurance, financials to a controlled portal — not over email.
AI-augmented review. Claude or Spellbook reviews SIG responses against the customer’s standards, flags gaps, drafts the question list back to the vendor. Human reviewer focuses on judgment calls, not text comparison.
Annual recertification. Each high-tier vendor recertifies annually; medium tier every two years. Subprocessor changes, SOC 2 renewals, and insurance renewals trigger interim review.

Common pitfalls

Diligence as gatekeeping, not enablement. When the goal becomes “find reasons to deny” rather than “find risks to mitigate,” the business routes around vendor management. Procurement bypass is the worst-case outcome.
No tiering — every vendor gets full SIG. Burns vendor goodwill, slows the easy cases, doesn’t add safety on the hard ones.
One-time diligence with no recertification. A vendor’s posture changes; the diligence on file becomes stale. Re-tier post-incident even if the recert isn’t due.
No tracking of mitigations. A vendor accepted with conditions (“must implement MFA within 90 days”) needs the mitigation tracked to closure. Without it, the conditions are theater.
Treating AI vendors as standard. AI vendors raise novel diligence questions — training data use, model output retention, prompt logging. Standard SIG doesn’t cover them; add an AI-specific addendum.

DPA checklist — the data-protection annex required for most vendors
MSA redlining rubric — the parent contract diligence terminates in
Contract review SOP — the broader contract process around vendor onboarding
What is Legal Ops? — the function that owns vendor diligence in coordination with Security

Edit this page on GitHub