Due Care vs. Due Diligence: The Compliance Distinction Every CISSP Candidate Must Master

Why This Matters

CISSP Lens: Prioritize governance-first reasoning, then control specificity, then operational execution details.

When a breach hits the news, the first legal question is rarely "did the firewall fail?" It is almost always "did leadership know, and what did they do about it?" The concepts of due care and due diligence sit at the heart of that question. For CISSP candidates these terms appear throughout Domain 1 (Security and Risk Management) and Domain 7 (Security Operations), and for working security managers they define the line between defensible practice and organizational negligence. Getting the distinction wrongon the exam or in the boardroomcan be career-defining.

Core Concept Explained Simply

Due care is doing the right things. It means an organization has implemented reasonable security controls, policies, and practices that a prudent organization in the same industry and risk context would adopt. Think of it as the action side: deploying MFA, maintaining an incident-response plan, enforcing a patch-management cadence, running background checks.

Due diligence is proving those things keep working. It is the verification side: auditing controls, testing disaster-recovery plans, tracking risk-register items to closure, reviewing third-party security posture, and reporting metrics to governance bodies. Due diligence turns good intentions into documented evidence.

A useful mental model: due care builds the house; due diligence inspects it on a schedule and fixes what the inspection finds.

Standard of care is the benchmark against which both are measured. It asks: "What would a reasonable organization or security professional do under similar circumstances, given similar resources, threats, and regulatory obligations?" Standard of care is not perfection. It is reasonableness, informed by industry frameworks (NIST CSF, ISO 27001, CIS Controls), legal requirements, and peer practice.

Negligence, in the CISSP governance context, is the failure to exercise that reasonable care. It typically shows up as ignored audit findings, years-old unpatched critical vulnerabilities, risk acceptances with no documented rationale, or security assurances that contradict internal knowledge.

The CISSP Lens

Domain 1 ties due care and due diligence directly to governance, compliance, and ethics. The exam expects you to understand that:

• Due care is an ongoing obligation, not a one-time project. Policies must be enforced, not just published.
• Due diligence is evidence-driven. Without audit trails, control-testing results, and governance reporting, an organization cannot demonstrate it exercised due careeven if the controls existed.
• Negligence is judged contextually. The exam often frames negligence as a management failure, not a technology failure. A missing patch is a technical gap; a missing patch after three audit findings flagged it is negligence.
• Board and executive reporting bridges both concepts. Communicating risk posture upward is both a due-care action (informing decision-makers) and a due-diligence artifact (demonstrating oversight).

Domain 7 reinforces these ideas in operations: log review, continuous monitoring, incident handling, and evidence preservation are all operational expressions of due diligence. An incident-response plan that exists but has never been tested fails the due-diligence test.

Real-World Scenario: Lessons from SolarWinds and Uber

Two high-profile U.S. enforcement actions illustrate why the due-care/due-diligence distinction matters in practicebut they also demand careful interpretation, because neither case is a classic negligence tort action.

SEC v. SolarWinds

The SEC brought charges against SolarWinds and its CISO following the SUNBURST supply-chain compromise. The surviving legal theory was primarily securities fraud and internal-controls deficiencynot a negligence claim in the traditional tort sense. The court reportedly dismissed broader theories that would have turned securities-control provisions into a generalized cybersecurity mandate, while allowing narrower fraud-related claims to proceed.

The compliance lesson: liability centered on the gap between what leadership represented about the company's security posture and what they knew internally. Governance artifactsrisk registers, exception-tracking records, board presentationsbecame the evidence that either supported or contradicted those representations.

Important nuance: This case does not establish that "bad security outcomes = negligence." It signals that misrepresentation of known risk posture is the exposure. For practitioners, the takeaway is that due-diligence documentation must be honest, current, and escalated to the right stakeholders.

U.S. v. Joe Sullivan (Uber)

The former Uber CSO was prosecuted on obstruction and misprision charges related to the concealment of a data breach from regulators. This was a criminal case, not a civil negligence action. The judicial focus was not "did Uber's security fail?" but rather "was there intentional concealment after a known compromise?"

Appellate developments have added nuance, but the durable lesson stands: incident-response obligations are governance controls, not public-relations choices. Timely escalation, accurate record-keeping, legal engagement, and regulator-consistent communication are non-negotiable elements of due care in security operations.

Important nuance: Practitioners should not read this case as "CISOs go to jail for breaches." The liability was tied to alleged active concealment, not to the breach itself. The standard-of-care implication is that honest, timely breach handling is the control.

What Practitioners Should Take Away

Neither case creates a bright-line "negligence standard" for cybersecurity. Instead, they reinforce a pattern: liability escalates when there is a demonstrable gap between what an organization knows and what it communicatesto regulators, to boards, to the public. For CISSP purposes, interpret "negligence" and "standard of care" as governance concepts rooted in reasonableness, not as precise legal holdings from these specific cases.

Common Mistakes and Misconceptions

• Confusing due care with due diligence. They are complementary, not synonymous. Having a policy (due care) without testing it (due diligence) is incomplete. Testing a control (due diligence) that was never properly designed (due care) is equally incomplete.
• Treating "no breach" as proof of due care. The absence of incidents does not demonstrate reasonable practice. Courts and regulators evaluate process, not outcomes alone.
• Assuming frameworks guarantee compliance. Adopting NIST or ISO 27001 is strong evidence of due care, but only if the controls are actually implemented, tested, and maintainednot just mapped in a spreadsheet.
• Ignoring the documentation burden. Due diligence lives in artifacts: audit reports, risk-acceptance memos, remediation tickets, board minutes. If it is not documented, it did not happenat least not from a legal-defensibility standpoint.
• Over-reading case law as technical mandates. SolarWinds and Sullivan/Uber are governance and disclosure cases, not rulings on specific technical controls. Do not cite them as requiring particular technologies.
• Believing negligence requires malice. Negligence is about failing to act reasonably, not about intent. Overlooking a known critical vulnerability for months because "we were busy" can meet the negligence threshold without any bad intent.

Actionable Checklist

• Maintain a current, prioritized risk register with documented acceptance rationale for every risk that is not mitigated.
• Conduct and document control-effectiveness testing at least annuallymore often for high-risk areas.
• Run tabletop exercises for incident response, disaster recovery, and breach-notification processes.
• Ensure board or executive-committee reporting includes honest, quantified risk metrics (KPIs/KRIs), not just green dashboards.
• Track audit findings to closure with evidence of remediation, not just acknowledgment.
• Review third-party and supply-chain security posture as part of ongoing due diligence, not only during onboarding.
• Align security baselines to at least one recognized framework (NIST CSF, ISO 27001, CIS Controls) and document deviations.
• Preserve incident-response records with integrity controls; treat them as potential legal evidence from day one.
• Ensure breach-notification procedures include legal counsel engagement and regulatory-communication timelines.
• Brief the security team on the governance meaning of due care and due diligenceoperational staff who understand why documentation matters produce better artifacts.

Key Takeaways

• Due care is action; due diligence is verification. Both are required to demonstrate reasonable security governance.
• Standard of care is contextual, measured against what a reasonable peer organization would donot against perfection.
• Recent enforcement actions (SolarWinds, Uber/Sullivan) are disclosure and obstruction cases, not classic negligence tort cases. They teach that misrepresentation and concealment create liability, not that breaches alone do.
• Documentation is the bridge between doing security well and proving you did security well. Without artifacts, due diligence does not exist in a legal or audit context.
• Board reporting is both a due-care obligation and a due-diligence artifact. Honest upward communication is a control, not overhead.

Exam-Style Reflection Question

An organization has a comprehensive patch-management policy, but an internal audit reveals that 40% of critical patches are applied outside the defined SLA with no documented risk acceptance. Which concept has the organization most directly failed to demonstrate?

Answer: Due diligence. The policy itself is evidence of due care (the organization defined a reasonable control), but the failure to enforce the policy, track exceptions, and document risk acceptances represents a breakdown in verification and oversightthe core of due diligence. On the exam, look for the gap between having a control and proving it works consistently.

Meta description: Learn the critical CISSP distinction between due care and due diligence, with real-world lessons from SolarWinds and Uber enforcement actions.