← Other Blogs

Your ISO 37001 due diligence file could be perfectly accurate, and still completely out of date

Most organizations treat third-party due diligence as a single gate: pass it once, and the relationship stays cleared. That approach assumes the vendor approved on day one is the same vendor a year later. ISO 37001 due diligence exposes what happens when that assumption breaks: ownership changes, a new intermediary enters the deal, the vendor expands into a market nobody reviewed, and nothing in most compliance programs notices. This is not a documentation failure or a reviewer's judgment call. It is a monitoring gap, and it is measurable before it becomes an incident.
Compliance
Human risk management
Zepo Intelligence

A vendor passes due diligence. The file is complete, accurate, and signed off. Eighteen months later, the same vendor is at the center of a compliance investigation.

Nothing in the file was wrong. The ownership structure it described was accurate the day it was filed. The risk profile it assessed matched the vendor as it existed at the time. What changed is the vendor. It restructured its ownership. It brought in a new intermediary to handle a specific market. Neither of those changes reached the compliance team, because nothing in the program was built to notice them.

Due diligence approves a moment, not a relationship

ISO 37001's due diligence requirements ask an organization to assess a business partner before the relationship begins: the nature of the relationship, the risk profile of the jurisdiction, the identity of beneficial owners, any red flags in the partner's history. That assessment produces a snapshot, accurate at the moment it is taken.

The relationship that follows is not a snapshot. It is ongoing, and it changes in ways the original file has no mechanism to capture. A vendor cleared at onboarding is not contractually obligated to stay the same vendor for the life of the contract, and in practice, many do not.

What actually changes after approval

The changes that matter rarely look dramatic from the outside. A beneficial owner sells a stake to a new investor. The vendor brings on a local partner to handle regulatory requirements in a market it just entered. A subcontractor takes over part of the delivery that used to be handled directly. The payment route shifts to accommodate a new banking relationship.

Any one of these can move a vendor from the risk profile that was approved to one that was never reviewed. None of them require the vendor to notify the organization that approved them, and few compliance programs have a process for finding out independently.

Consider a logistics vendor approved two years ago to handle regional distribution. Its ownership was straightforward at the time: two founders, no external investors, no operations outside the country where the contract was signed. Since then, a private equity fund has acquired a majority stake, the vendor has opened operations in two new countries to support a larger client, and it now routes part of its payments through a regional subsidiary that did not exist at approval. None of that required notifying the company that approved it. On paper, it is still the vendor that passed due diligence two years ago. In practice, it is a different company operating under the same name.

Why most programs have no re-trigger

Most due diligence programs renew on a calendar: annually, or every two years, regardless of what has happened to the vendor in between. That cadence works for vendors that genuinely do not change. It does nothing for the ones that do, because the renewal date has no relationship to the date the ownership structure actually shifted.

There is a resourcing logic behind the calendar-based approach, and it is not unreasonable on its own. Reviewing every vendor relationship continuously would overwhelm most compliance teams, and a full re-assessment of every relationship every quarter would cost more than the risk it is managing. The problem is not that programs ration review effort. It is that they ration it by date instead of by relevance, treating a vendor that changed dramatically last month the same as one that has been stable for a decade, simply because neither has reached its renewal date yet.

The result is a gap measured in time, not in judgment. A vendor can drift substantially away from its approved risk profile and remain, on paper, a cleared vendor for months or years, simply because the next scheduled review has not arrived yet.

Key insight: the file can be accurate and still be wrong

The instinct when an incident traces back to a long-approved vendor is to ask whether the original due diligence was thorough enough. Often, it was. The file described the vendor correctly, at the time.

The failure is not in what the file said. It is in the absence of anything that would have flagged the moment the file stopped being true. A compliance program measured by whether its due diligence files are complete will always look healthy, even while the relationships those files describe drift further from what was actually approved.

Practical implications

For compliance and risk leaders, four things follow from treating due diligence as a lifecycle problem rather than a one-time gate.

First, identify the events that should trigger a new look, not just a new date. A change in beneficial ownership, a new hit on a sanctions or watch list, litigation involving the vendor, or a material change in deal structure or payment intermediary are all more relevant than a calendar anniversary.

Second, treat public and semi-public signals as part of the program, not as background noise. Beneficial ownership registries, court filings, and corporate registry updates are often available before a vendor discloses anything voluntarily. A program that only asks the vendor directly will only find out what the vendor chooses to share.

Third, size the review to the change, not to the original onboarding. A minor subcontractor change does not need a full re-assessment. A change in beneficial ownership does. Treating every trigger the same way either overwhelms the team or trains it to ignore the signal.

Fourth, assign ownership of the monitoring function explicitly, separate from the team that conducted the original approval. A due diligence team measured on how many new vendors it clears has little incentive to flag that an already-approved vendor now looks different. Monitoring works better as a distinct responsibility, with its own signals and its own escalation path, rather than an afterthought bolted onto the onboarding process.

ISO 37001 gives organizations a real structure for assessing third-party risk at the point of onboarding. That structure was never designed to track what happens to a vendor after the file is closed, and most programs have not built anything to fill that gap.

The organizations that reduce third-party exposure over the next few years will not be the ones with the most thorough onboarding file. They will be the ones that know when the vendor they approved has become a different vendor — before a renewal date or an incident forces the issue.

Subscribe to our newsletter
Blog content:
Act now before attackers do
Unify deepfake simulations, personalized training, and risk analytics into a single platform that builds measurable defense.
Talk to an expert

How Zepo helps companies

When everything connects, results follow

Nadia Cappelletti

Digital Information Security Manager

I would recommend Zepo to colleagues at other companies because I believe it has met all our needs. It has allowed us to run three types of campaigns that other tools we have tried simply cannot do. And beyond the product itself, the support from the whole team has helped us get far more out of it.””

+9K

Employees Protected

–10%

Click Rate on Attacks

+18%

Training Completion Rate

Ramon Fernandez Blanco

Cybersecurity & Digital Product Manager

Since implementing Zepo, employee awareness has increased significantly. Employees now actively discuss cybersecurity and phishing campaigns, and suspicious emails are quickly reported instead of ignored.””

+600

Employees Protected

–15%

Credentials Submitted

+26%

Training Completion Rate

Jonathan Nelson

Director of Risk Intelligence

Zepo’s vision for a real-time, hyper-personalised, multi-platform cybersecurity solution is truly unique and stands head and shoulders above the competition”

+100

Employees Protected

Get Smarter Before Attackers Strike.