What is a Due Diligence Questionnaire and What Should You Do About It?

Your company just received a due diligence questionnaire (DDQ) or due diligence checklist from a potential client. You may think it’s a threat or a challenge, but it’s actually a good sign: Sending a DDQ is usually the last step a company takes before choosing to buy a service or product from a company they’ve been considering. A potential client will use the DDQ to validate that your organization is compliant with required guidelines, especially in terms of security.

There are many different types of due diligence questionnaires, and they can vary depending on what sort of service you provide. But if you are a software developer or service provider responding to an RFP, you can expect to get a DDQ from potential clients that are serious about buying from you. 

What should you do if you receive a due diligence questionnaire? First of all, don’t panic. Next up, follow our advice below.

Get Strategic by Knowing What’s On a DDQ

You can prepare for responding to DDQs even if you haven’t received one yet. The best way to put a strategy in place for responding to a due diligence list is by knowing what questions they usually include.

Virtually all DDQs require that your company can show that you follow certain key processes, such as having an information security policy and that you conduct external penetration tests every year. Other requirements include being able to show that you have implemented strong technical controls in line with industry best practices, such as:

  • Multi-factor authentication
  • Firewalls
  • Intrusion detection
  • VPNs

You’ll also need to prove that key processes such as change management, new hires, terminations, are all documented and operate as written in your policy manuals. Finally, you’ll have to prove that you have a firm understanding of the customer data that you process and store, and understand the risks involved. 

Be Ready to Show Your Work

The best way to ensure you have strong responses to DDQ questions is to show that you have a plan in place for security. Start by developing a collection of key artifacts that most DDQs look for. Some examples include:

  • Information security policy
  • Disaster recovery plan
  • Recent penetration test reports
  • Network diagram

These documents and reports will allow you to show with confidence that you meet the requirements of the due diligence checklist. 

Another form of proof you should look into is an external audit. In the early stages of a company, it’s not always necessary to have an audit completed, but you need to make sure you know what your plan is and demonstrate your roadmap. It’s perfectly ok if you’re planning an audit in 12-18 months, maybe even longer, as long as you can show that you have something in the works.

Practical Assurance can help you build your roadmap and key artifacts to set you on the right footing to land bigger customers before you’re fully read for an audit.

Approach the Questionnaire Like a Final Interview

As noted above, a DDQ is usually the last step that a company uses to verify that a vendor is doing the right thing in terms of security and compliance. If they go to the trouble of sending you a DDQ, it means they’re heavily considering your product, but want to do one final sweep for reassurance that they know exactly what risks they may be facing by using your solution, and how you will mitigate those risks for their company.

The questionnaire acts like a window into the maturity of your company. If you have weak answers to the questions it poses, your prospects will assume you’re not ready to do business with them. As with a final job interview, you need to be prepared and project confidence. How you respond can truly make or break your ability to land a deal with a new client.

If you need help preparing responses to a DDQ, or want to be prepared for larger clients who will certainly send them your way, get in touch with Practical Assurance today.