When is third-party due diligence performed?

Third-party due diligence is an ongoing risk-management practice. The best timing is to conduct it before you engage a vendor, during onboarding to verify that the necessary controls and protections are in place, and at regular intervals through periodic reassessments to detect changes in risk over time. Pre-engagement screening helps ensure the vendor’s risk profile fits your requirements and regulatory needs. Onboarding confirms that security practices, data handling, and contract terms are established before work begins. Periodic reassessments capture evolving threats, changes in the vendor’s operations or controls, and any performance or compliance shifts, so controls can be adjusted as needed. Relying only on post-breach activity is reactive and misses proactive risk management, while never conducting due diligence fails to establish any foundational risk screening.