← Otros blogs

Your ISO 37001 due diligence file could be perfectly accurate, and still completely out of date

Most organizations treat third-party due diligence as a single gate: pass it once, and the relationship stays cleared. That approach assumes the vendor approved on day one is the same vendor a year later. ISO 37001 due diligence exposes what happens when that assumption breaks: ownership changes, a new intermediary enters the deal, the vendor expands into a market nobody reviewed, and nothing in most compliance programs notices. This is not a documentation failure or a reviewer's judgment call. It is a monitoring gap, and it is measurable before it becomes an incident.
Compliance
Human risk management

A vendor passes due diligence. The file is complete, accurate, and signed off. Eighteen months later, the same vendor is at the center of a compliance investigation.

Nothing in the file was wrong. The ownership structure it described was accurate the day it was filed. The risk profile it assessed matched the vendor as it existed at the time. What changed is the vendor. It restructured its ownership. It brought in a new intermediary to handle a specific market. Neither of those changes reached the compliance team, because nothing in the program was built to notice them.

Due diligence approves a moment, not a relationship

ISO 37001's due diligence requirements ask an organization to assess a business partner before the relationship begins: the nature of the relationship, the risk profile of the jurisdiction, the identity of beneficial owners, any red flags in the partner's history. That assessment produces a snapshot, accurate at the moment it is taken.

The relationship that follows is not a snapshot. It is ongoing, and it changes in ways the original file has no mechanism to capture. A vendor cleared at onboarding is not contractually obligated to stay the same vendor for the life of the contract, and in practice, many do not.

What actually changes after approval

The changes that matter rarely look dramatic from the outside. A beneficial owner sells a stake to a new investor. The vendor brings on a local partner to handle regulatory requirements in a market it just entered. A subcontractor takes over part of the delivery that used to be handled directly. The payment route shifts to accommodate a new banking relationship.

Any one of these can move a vendor from the risk profile that was approved to one that was never reviewed. None of them require the vendor to notify the organization that approved them, and few compliance programs have a process for finding out independently.

Consider a logistics vendor approved two years ago to handle regional distribution. Its ownership was straightforward at the time: two founders, no external investors, no operations outside the country where the contract was signed. Since then, a private equity fund has acquired a majority stake, the vendor has opened operations in two new countries to support a larger client, and it now routes part of its payments through a regional subsidiary that did not exist at approval. None of that required notifying the company that approved it. On paper, it is still the vendor that passed due diligence two years ago. In practice, it is a different company operating under the same name.

Why most programs have no re-trigger

Most due diligence programs renew on a calendar: annually, or every two years, regardless of what has happened to the vendor in between. That cadence works for vendors that genuinely do not change. It does nothing for the ones that do, because the renewal date has no relationship to the date the ownership structure actually shifted.

There is a resourcing logic behind the calendar-based approach, and it is not unreasonable on its own. Reviewing every vendor relationship continuously would overwhelm most compliance teams, and a full re-assessment of every relationship every quarter would cost more than the risk it is managing. The problem is not that programs ration review effort. It is that they ration it by date instead of by relevance, treating a vendor that changed dramatically last month the same as one that has been stable for a decade, simply because neither has reached its renewal date yet.

The result is a gap measured in time, not in judgment. A vendor can drift substantially away from its approved risk profile and remain, on paper, a cleared vendor for months or years, simply because the next scheduled review has not arrived yet.

Key insight: the file can be accurate and still be wrong

The instinct when an incident traces back to a long-approved vendor is to ask whether the original due diligence was thorough enough. Often, it was. The file described the vendor correctly, at the time.

The failure is not in what the file said. It is in the absence of anything that would have flagged the moment the file stopped being true. A compliance program measured by whether its due diligence files are complete will always look healthy, even while the relationships those files describe drift further from what was actually approved.

Practical implications

For compliance and risk leaders, four things follow from treating due diligence as a lifecycle problem rather than a one-time gate.

First, identify the events that should trigger a new look, not just a new date. A change in beneficial ownership, a new hit on a sanctions or watch list, litigation involving the vendor, or a material change in deal structure or payment intermediary are all more relevant than a calendar anniversary.

Second, treat public and semi-public signals as part of the program, not as background noise. Beneficial ownership registries, court filings, and corporate registry updates are often available before a vendor discloses anything voluntarily. A program that only asks the vendor directly will only find out what the vendor chooses to share.

Third, size the review to the change, not to the original onboarding. A minor subcontractor change does not need a full re-assessment. A change in beneficial ownership does. Treating every trigger the same way either overwhelms the team or trains it to ignore the signal.

Fourth, assign ownership of the monitoring function explicitly, separate from the team that conducted the original approval. A due diligence team measured on how many new vendors it clears has little incentive to flag that an already-approved vendor now looks different. Monitoring works better as a distinct responsibility, with its own signals and its own escalation path, rather than an afterthought bolted onto the onboarding process.

ISO 37001 gives organizations a real structure for assessing third-party risk at the point of onboarding. That structure was never designed to track what happens to a vendor after the file is closed, and most programs have not built anything to fill that gap.

The organizations that reduce third-party exposure over the next few years will not be the ones with the most thorough onboarding file. They will be the ones that know when the vendor they approved has become a different vendor — before a renewal date or an incident forces the issue.

Escrito por:
Suscríbase a nuestro boletín
Contenido
Actúa ahora antes de que lo hagan los atacantes
Unifique las simulaciones de deepfake, la formación personalizada y el análisis de riesgos en una única plataforma que cree una defensa mensurable.
Hable con un experto

Cómo Zepo ayuda a las empresas

Cuando todo se conecta, los resultados llegan

Nadia Cappelletti

Gerente de Seguridad de la Información Digital

Recomendaría Zepo a colegas de otras empresas porque creo que ha satisfecho todas nuestras necesidades. Nos ha permitido ejecutar tres tipos de campañas que otras herramientas que hemos probado simplemente no pueden hacer. Y más allá del producto en sí, el apoyo de todo el equipo nos ha ayudado a sacarle mucho más partido.”

+9K

Empleados Protegidos

–10%

Tasa de clics en ataques

+18%

Tasa de finalización de la capacitación

Ramon Fernandez Blanco

Ciberseguridad y Gerente de Producto Digital

Desde la implementación de Zepo, la concienciación de los empleados ha aumentado significativamente. Los empleados ahora debaten activamente sobre ciberseguridad y campañas de phishing, y los correos electrónicos sospechosos se reportan rápidamente en lugar de ser ignorados.”

+600

Empleados Protegidos

–15%

Credenciales enviadas

+26%

Tasa de finalización de la capacitación

Jonathan Nelson

Director de Inteligencia de Riesgos

La visión de Zepo para una solución de ciberseguridad en tiempo real, hiperpersonalizada y multiplataforma es verdaderamente única y está muy por encima de la competencia”

+100

Empleados Protegidos

Anticípate antes de que ataquen.