Customer Due Diligence Questionnaires vs ISO Certification
Table of Contents
Why ISO Certification Is Replacing the Customer Due Diligence Questionnaire
Procurement teams and risk functions in large organisations spend considerable time each year sending, chasing, and reviewing customer due diligence questionnaires. Suppliers fill them in. Assessors score them. Findings get filed. Then, twelve months later, the cycle begins again; often with a slightly different questionnaire, sent by a different team, asking substantially the same questions.
The questionnaire has become the default instrument for vendor risk assessment not because it is reliable, but because it is familiar. Its weaknesses are well understood internally and rarely acknowledged externally.
The first problem is consistency. A questionnaire captures what a supplier says about its controls at a point in time. It does not verify whether those controls exist, whether they are operating, or whether they will still be in place when the relationship matters most. A vendor can answer every question correctly and still have no functioning information security program. A questionnaire has no mechanism to detect the difference.
The second problem is resource consumption on both sides. A large enterprise might maintain relationships with hundreds of suppliers. Each supplier, in turn, might receive questionnaires from dozens of customers. For the supplier, answering becomes an administrative function disconnected from actual security improvement. For the enterprise, reviewing responses becomes a volume problem that degrades the quality of assessment rather than improving it.
ISO/IEC 27001, the international standard for information security management systems published jointly by the International Organization for Standardization and the International Electrotechnical Commission, addresses both problems directly. Certification against ISO/IEC 27001 means an accredited, independent certification body has audited the supplier’s information security management system and confirmed it meets the requirements of the standard. That audit covered not just documented policies but evidence of implementation, internal audit records, management review, and continuous improvement mechanisms. The certification is not self-reported. It cannot be completed by ticking boxes.
ISO/IEC 27001:2022 requires organisations to address supplier relationships explicitly under Annex A control 5.19, making third-party information security a formal, auditable obligation, not a best-practice recommendation.
For a Risk Officer or procurement lead, the practical difference is significant. Accepting a current ISO/IEC 27001 certificate from a supplier in scope replaces a questionnaire that would have taken both parties weeks to complete, for evidence that an independent auditor has already gathered and verified. The certificate does not answer every specific question a customer might have, but it answers the foundational ones: Does this organisation have a structured approach to identifying and managing information security risk? Is it subject to independent scrutiny? Is there a functioning system behind the controls?
Some organisations have formalised this distinction by creating tiered supplier categories. High-risk suppliers handling sensitive data or providing critical services are required to hold ISO/IEC 27001 certification as a condition of the relationship. Lower-risk suppliers may still complete a shortened questionnaire, but the questionnaire is calibrated to what certification cannot address: contract-specific data handling practices, breach notification timelines, and jurisdiction-specific obligations; rather than duplicating what an audit has already established.
The governance dimension matters here in a way that neither practitioners nor software vendors tend to articulate clearly. A Board Director approving a supplier risk framework is not approving a list of questions. They are approving a methodology for determining whether the organisation’s supply chain is appropriately controlled. A methodology that relies on self-reported questionnaires carries inherent limitations that a certification-anchored approach does not. When a data incident occurs and the question arises as to what due diligence was performed, a certificate from an accredited body is materially stronger evidence than a completed spreadsheet.
| Comparison | Customer Due Diligence Questionnaire | ISO/IEC 27001 Certification |
| Verification of controls | Self-reported | Independently audited |
| Frequency of assessment | Typically annual, on request | Surveillance audits annually, full recertification every 3 years |
| Consistency across customers | Variable — each customer sends different questions | Consistent — one standard, one audit scope |
| Coverage of management system | Depends on questionnaire design | Comprehensive — covers risk, assets, people, suppliers, incidents |
| Resource burden on supplier | High — multiple questionnaires from multiple customers | Upfront investment; reduces per-customer burden significantly |
| Admissibility as governance evidence | Limited | Strong |
The shift is not without nuance. ISO/IEC 27001 certification has a defined scope, and that scope matters. A supplier certified for one business unit or one service line may not have an ISMS covering the specific engagement being assessed. Reviewing the certificate scope is a non-negotiable step. Equally, certification confirms that a management system exists and has been audited; it does not substitute for contractual data processing agreements, specific security requirements written into service terms, or the organisation’s own internal risk appetite decisions.
RACERT audits and certifies organisations against ISO/IEC 27001 and other international management system standards. For procurement and risk teams building supplier assessment frameworks, understanding what certification means and what it does not mean is essential to applying it correctly as a due diligence instrument.
Organisations that have made certification a standard condition for strategic suppliers consistently report two outcomes. The first is a reduction in administrative overhead on both sides of the relationship. The second, less visible but more significant, is an improvement in the quality of the risk conversation. When both parties know the supplier’s management system has been independently assessed, the discussion can move from ‘do you have a policy?’ to ‘how does your system handle this specific risk scenario?’ That is a more productive conversation for a CISO or Risk Officer to be having.
The customer due diligence questionnaire will not disappear. It remains useful for specific, targeted questions that certification does not address, and for lower-risk relationships where the cost of certification is disproportionate to the risk. But as a primary instrument for assessing information security across a supplier base, it is increasingly hard to justify when independent certification is available and when the resource cost of questionnaire cycles is visible and measurable.
For executive teams setting supplier governance policy, the question is no longer whether ISO/IEC 27001 is a sufficient standard for due diligence. It is whether the organisation’s current questionnaire process is providing materially better assurance than an independent audit; and for most, the honest answer is that it is not. Accepting certification as primary evidence, supported by targeted supplementary questions where the risk warrants it, is the model that reflects both the operational and governance realities of mature third-party risk management. When that certification has been issued by a body like RACERT, operating under accreditation and applying the full rigour of an independent audit, it carries weight that no self-assessment instrument can replicate.
Frequently Asked Questions
Recent Post
