Security governanceSecurity principlesIntermediate23 min read

What Is Due care? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Due care means doing what a reasonable person would do to keep data and systems safe. It is about being careful and responsible when handling information, following security policies, and fixing problems quickly. In IT, it means paying attention to security basics like patching, training, and oversight.

Commonly Confused With

Due carevsDue diligence

Due diligence is the investigation and analysis performed before making a decision, such as assessing the security of a vendor before signing a contract. Due care is the ongoing implementation of protective measures after the decision is made. One is about research, the other about action.

Before hiring a cloud provider, you check their security certifications (due diligence). After signing the contract, you monitor their performance and enforce access controls (due care).

Due carevsNegligence

Negligence is the failure to exercise the care that a reasonable person would take, resulting in harm. Due care is the standard of behavior that prevents negligence. If you fail to exercise due care, you are negligent. Negligence is the consequence, due care is the required behavior.

If you do not lock the door to your server room (lack of due care) and someone steals servers (harm), you are negligent.

Due carevsCompliance

Compliance means following specific rules or laws, like HIPAA or PCI DSS. Due care is a broader concept that includes compliance but also goes beyond it. You can be compliant with a regulation but still fail to exercise due care if the regulation does not cover all reasonable protections.

A hospital follows HIPAA rules exactly (compliance) but does not train employees on social engineering. When an employee falls for a phishing attack, the hospital failed due care even though it was 'compliant' with some rules.

Due carevsRisk management

Risk management is the overall process of identifying, assessing, and responding to risks. Due care is the part of risk management that involves implementing controls and monitoring them. Risk management includes both due diligence (assessing risks) and due care (acting on them).

Risk management includes a risk register and decision-making. Due care is what happens when you actually install a firewall or train your staff based on those decisions.

Must Know for Exams

Due care is a core concept for all three exams listed: CISSP, Security+, and ISC2 CC. It appears most prominently in domain areas covering security governance, risk management, and legal and regulatory compliance.

For the CISSP (ISC2), due care is a primary concept in Domain 1: Security and Risk Management. This domain includes topics like security governance, legal and regulatory compliance, and ethics. The CISSP exam will ask candidates to distinguish between due care and due diligence, and to apply the concept in scenario-based questions. You may be presented with a scenario where a company failed to patch a critical vulnerability and suffered a breach. The question might ask what the company failed to exercise. The correct answer is due care. CISSP questions often test the subtle difference: due diligence is the investigation before a decision, while due care is the ongoing protection after that decision.

For the CompTIA Security+ exam, due care appears in Domain 5: Governance, Risk, and Compliance. Security+ focuses on practical implementation, so questions often involve recognizing examples of due care in policies, training, and technical controls. You might see a question like: A company requires all employees to complete annual security awareness training. Which concept does this demonstrate? The answer is due care. Security+ also tests the legal consequences of failing to exercise due care, such as negligence and liability.

For the ISC2 Certified in Cybersecurity (CC) exam, due care is part of Domain 1: Security Principles. The CC exam is an entry-level certification, so questions are more straightforward. They often ask for the definition or a simple example of due care. For instance: An organization regularly updates its antivirus software and patches its systems. This is an example of which security principle? The answer is due care.

Across all three exams, you should expect multiple-choice questions that present a real-world scenario and ask you to identify the missing element. The traps often involve confusing due care with due diligence, or with specific controls like encryption or firewalls. Remember that due care is the overall duty, not a specific control. It is the reason you implement the control, not the control itself. If you keep that distinction clear, you will answer these questions correctly.

Simple Meaning

Imagine you are a babysitter watching a toddler. Due care means you do everything a reasonable babysitter would do to keep the child safe: you lock the front door, you keep dangerous items out of reach, you watch the child closely, and you put away toys so no one trips. You do not just hope nothing bad happens; you actively take small, sensible steps to prevent accidents. If you were careless and the child got hurt, you would be considered negligent because you did not follow basic safety rules.

In the IT world, due care works exactly the same way. An organization collects and stores huge amounts of private data like customer names, credit card numbers, and medical records. Due care is the responsibility to protect that data with reasonable security measures. This includes installing antivirus software, updating systems with security patches, requiring strong passwords, training employees not to click on phishing links, and having an incident response plan in case something goes wrong. It does not mean the organization needs to hire a secret agent or spend millions on every possible gadget. Due care is about being practical and doing the common-sense things that any competent security professional would do.

If a company does not practice due care and a hacker breaks in because they left a server unpatched for three years, that company could be found negligent in court. Courts and regulators ask whether the organization acted the way a reasonable, careful organization would have acted under the same circumstances. If the answer is no, the organization could face fines, lawsuits, and reputational damage. So due care is not just a good idea; it is a legal and professional baseline for anyone working with sensitive information. It is the foundation of trust between a company and its customers.

Full Technical Definition

Due care is a legal and governance concept in information security that refers to the standard of conduct expected of a prudent organization to protect the confidentiality, integrity, and availability of its information assets. In a technical sense, due care is demonstrated through the implementation of security controls, policies, and procedures that are aligned with industry standards such as ISO 27001, NIST SP 800-53, and regulatory frameworks like GDPR, HIPAA, PCI DSS, and SOX. It is the active, ongoing process of identifying risks, deploying safeguards, and monitoring their effectiveness.

From an IT implementation perspective, due care involves several concrete activities. The organization must conduct regular risk assessments to identify vulnerabilities and threats. Based on those assessments, it must select and deploy appropriate administrative, technical, and physical controls. Technical controls include firewalls, intrusion detection systems, endpoint protection, encryption at rest and in transit, multi-factor authentication, and rigorous patch management. Administrative controls include security policies, standard operating procedures, background checks for employees, and mandatory security awareness training. Physical controls include locked server rooms, badge access systems, and surveillance cameras.

Due care also requires continuous monitoring and improvement. It is not a one-time checklist. Organizations must regularly test their controls through vulnerability scans, penetration tests, and audit reviews. They must log and analyze security events, respond to incidents promptly, and document everything to provide evidence of due care. If a breach occurs, regulators and courts will examine whether the organization had a reasonable security program in place, whether it followed its own policies, and whether it acted quickly to contain and remediate the incident. The legal standard is often based on what a similarly situated organization would have done, considering factors like industry, size, and the sensitivity of the data.

In the context of IT certifications like the CISSP, Security+, and ISC2 CC, due care is a foundational concept that appears in domains related to security governance, risk management, and legal compliance. It is closely tied to the concept of due diligence, which is the investigation and assessment of risks before making a decision, while due care is the ongoing implementation of protective measures after the decision is made. Understanding due care helps professionals design security programs that are legally defensible and operationally effective.

Real-Life Example

Think of due care like maintaining a car. When you own a car, you have a responsibility to keep it safe for yourself and others on the road. Due care means you regularly check the oil, replace worn tires, fix the brakes when they start squeaking, and take it for scheduled maintenance. You do not wait until the engine fails on the highway. You also do not just ignore the check engine light because you are busy. A responsible driver proactively takes care of small issues before they become big, dangerous problems.

Now map this to IT. The organization is the car owner, and the IT systems are the car. Due care means the IT team runs regular security scans instead of waiting for a breach. They install security patches every month instead of putting them off for a year. They train employees to recognize phishing emails instead of assuming everyone will be careful on their own. They back up critical data every night so that if ransomware hits, they can restore without paying the criminals.

If you neglect your car, and you get into an accident because your brakes failed, you are legally responsible due to negligence. Similarly, if a company neglects its IT security and suffers a data breach, it can be held legally liable for failing to exercise due care. The analogy is powerful because it shows that due care is not about being perfect; it is about being reasonable and proactive. Every small maintenance step adds up to a much safer system.

Why This Term Matters

Due care matters in practical IT because it directly affects an organization's legal liability, financial stability, and reputation. When a company handles customer data, it is not just a technical responsibility; it is a legal one. Laws like GDPR in Europe, HIPAA in healthcare, and PCI DSS for credit card data all require organizations to take reasonable steps to protect data. If a company fails to do so and suffers a breach, regulators can impose massive fines. For example, under GDPR, fines can be up to 4% of global annual revenue. That is a level of financial risk that no board of directors can ignore.

Beyond fines, there is the risk of lawsuits. Customers, employees, or partners whose data is exposed can sue the company for negligence. In court, the central question will be whether the company exercised due care. The company will need to show evidence that it had a security policy, that it trained employees, that it patched systems, and that it monitored for threats. Without that evidence, the company is likely to lose the lawsuit and pay damages.

Due care also matters for professional IT practitioners. When you work as a security analyst, network administrator, or compliance officer, you are expected to recommend and implement reasonable controls. If you ignore a known vulnerability or skip a critical patch, you could be personally contributing to a breach. Understanding due care helps you prioritize your work and justify security spending to management. It turns security from a nice-to-have into a must-have. For IT professionals holding certifications like CISSP or Security+, due care is not just a concept to memorize; it is a principle that guides real-world decision-making every day.

How It Appears in Exam Questions

In exam questions, due care typically appears in scenario-based multiple-choice questions that test your ability to recognize when an organization has or has not met its security responsibilities. One common pattern is the "negligence discovery" question. The scenario will describe a data breach followed by an investigation that reveals the company had not patched a known critical vulnerability for over a year, did not have a security policy, and did not conduct background checks on employees. The question will then ask: What legal concept did the company fail to uphold? The correct answer is due care. The distractors often include due diligence, risk assessment, or confidentiality.

Another frequent pattern is the "comparison" question. The exam might present two companies. Company A performed a thorough risk assessment before adopting a new cloud service (due diligence). Company B performs monthly vulnerability scans and applies patches within two weeks of release (due care). The question asks which company is practicing due care. You need to recognize that due care is the ongoing protective action, while due diligence is the upfront investigation.

A third pattern is the "professional responsibility" question. The scenario describes a security professional who discovers a critical vulnerability but delays reporting it because they are busy. The question asks what ethical and legal principle the professional violated. The answer is due care because the professional has a duty to act reasonably to protect the organization's assets. This type of question is common on the CISSP exam, which emphasizes ethics and professional responsibility.

There are also "policy implementation" questions. For example: A company implements a mandatory password policy requiring 12-character passwords and multi-factor authentication. This is an example of which concept? Due care. Or: A company hires an external auditor to review its security controls annually. This is due care because it demonstrates ongoing monitoring and improvement.

Finally, pay attention to questions that ask about the consequences of failing to exercise due care. The correct answer is usually negligence or legal liability. The question might ask: A healthcare provider suffers a data breach because it did not encrypt patient records as required by HIPAA. What is the most likely outcome? The answer: The provider may be found negligent and face fines and lawsuits. Understanding the link between due care, due diligence, and legal outcomes is critical for exam success.

Practise Due care Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You work as an IT administrator for a mid-sized company that processes online payments. The company stores customer credit card numbers in a database for recurring billing. One day, you notice that the database server is running an old version of the operating system that is no longer supported by the vendor. The vendor stopped releasing security patches two years ago. You mention this to your manager, but the manager says the server is too critical to take down for an upgrade, and the company will deal with it later.

Six months later, a hacker exploits a known vulnerability in that unsupported server and steals thousands of credit card numbers. The company is now facing a lawsuit from affected customers and an investigation by the Payment Card Industry (PCI) Security Standards Council. During the investigation, it comes out that the company had no formal patch management policy, no vulnerability scanning schedule, and no documented process for handling security issues. Your earlier email about the outdated server was never acted upon.

In this scenario, the company clearly failed to exercise due care. A reasonable organization handling credit card data would have kept its systems patched, especially when a vendor stops supporting the software. The company ignored a known risk and did not take the basic steps needed to protect customer data. As a result, the company is likely to be found negligent and will face significant fines, legal costs, and reputational damage. This scenario underscores why due care is not optional; it is a fundamental part of running a trustworthy IT operation.

Common Mistakes

Confusing due care with due diligence.

Due diligence is the investigation and assessment of risks before making a decision, while due care is the ongoing implementation of protective measures after the decision is made. They are related but distinct steps in the risk management process.

Remember: due diligence = research before you act; due care = action after you decide. Due diligence happens first, due care happens continuously.

Thinking due care means perfection or eliminating all risk.

Due care is about reasonableness, not perfection. No organization can prevent every possible attack. The standard is what a prudent organization would do under similar circumstances, not an impossible zero-risk standard.

Think of due care as doing what a careful, reasonable person would do. It is about reducing risk to an acceptable level, not eliminating it entirely.

Believing due care is only a legal or compliance concept with no technical relevance.

Due care is deeply technical because it requires implementing specific controls like patching, encryption, logging, and monitoring. It is not just paperwork; it is the daily work of securing systems.

Understand that due care is demonstrated through technical actions: patch your servers, run vulnerability scans, enforce strong authentication, and back up data.

Assuming due care is a one-time project or checklist.

Due care is an ongoing, continuous process. Security threats evolve, so controls must be updated, tested, and improved over time. A single annual audit does not constitute due care.

Treat due care as a cycle: assess, implement, monitor, improve. It never ends. Regularly review and adjust your security measures.

Thinking that having a security policy alone is sufficient for due care.

A written policy is only the starting point. Due care requires that the policy be implemented, enforced, and regularly audited. A policy that sits in a drawer and is never followed does not demonstrate due care.

Make sure your organization not only has policies but also trains employees, enforces compliance, and audits adherence. Evidence of enforcement is critical.

Exam Trap — Don't Get Fooled

{"trap":"The exam presents a scenario where a company performed a detailed risk assessment and chose to accept a risk instead of mitigating it. The question asks whether the company exercised due care. Many learners answer 'no' because they believe due care requires mitigating all risks."

,"why_learners_choose_it":"Learners often think due care means implementing every possible control. They do not recognize that accepting a risk after a proper assessment can be a legitimate due care decision if it is documented and approved by management.","how_to_avoid_it":"Remember that due care includes making informed, documented risk acceptance decisions.

If the organization performed due diligence (thorough risk assessment) and then consciously decided to accept a risk with management sign-off, that can be part of a reasonable due care program. The key is the process, not the outcome. An organization does not have to mitigate every risk to exercise due care."

Step-by-Step Breakdown

1

Identify assets and risks

You first identify what you need to protect: customer data, financial records, intellectual property, and critical systems. Then identify the threats to those assets, such as hackers, malware, insider threats, or natural disasters. This step sets the scope of your due care program.

2

Assess vulnerabilities

Perform vulnerability scans, penetration tests, and audits to find weaknesses in your systems, policies, and practices. For example, an unpatched server or weak password policy is a vulnerability. Understanding your vulnerabilities helps you prioritize where to apply due care.

3

Implement reasonable controls

Based on your assessment, deploy technical, administrative, and physical controls. This includes firewalls, encryption, access controls, employee training, and backup procedures. The controls must be reasonable given the risk level, industry standards, and available resources.

4

Document policies and procedures

Write clear security policies, incident response plans, and standard operating procedures. Documentation provides evidence that you have thought through security and established a baseline for behavior. It also helps with training and audits.

5

Train and communicate

All employees must know their security responsibilities. Conduct regular security awareness training on topics like phishing, password hygiene, and data handling. Training ensures that due care is not just the IT team's job but a company-wide responsibility.

6

Monitor and enforce

Continuously monitor systems for suspicious activity using tools like SIEM, intrusion detection, and log analysis. Enforce policies consistently, such as requiring multi-factor authentication or locking accounts after failed attempts. Monitoring shows that due care is active, not just theoretical.

7

Review and improve

Conduct periodic reviews, audits, and lessons learned exercises after incidents. Update controls and policies as new threats emerge or as the organization changes. Due care is a cycle, not a one-time action. Continuous improvement is essential.

Practical Mini-Lesson

Due care is a concept that every IT professional must internalize because it is the bridge between good intentions and actual security. In practice, due care means you do not just know what the right thing to do is; you actually do it, and you document that you did it. This is crucial because in the event of a breach or audit, you will need to prove that you acted reasonably.

Let us walk through a practical scenario. You are a security manager at a financial services company. Your CEO asks you to prove the company is exercising due care. Where do you start? The first step is to have a documented risk assessment. If you do not know your risks, you cannot possibly address them reasonably. So you pull together a list of critical assets, a threat assessment, and a vulnerability report. This becomes the foundation.

Next, you look at your technical controls. Do you have firewalls properly configured? Are all endpoints running updated antivirus? Is encryption enabled on laptops and databases? You create a control matrix mapping each risk to a control. Then you check the logs to see if those controls are actually working. For example, if your firewall rule blocks certain traffic, but your logs show no blocked attempts, maybe the rule is misconfigured. Due care requires you to validate, not just assume.

Then comes the human element. Due care requires that employees are trained. You should be able to produce training records showing that 100% of employees completed security awareness training in the last 12 months. You should also have phishing simulation results showing improvement. If an employee clicks on a phishing link, due care means you have a process to retrain them and escalate repeated failures.

What can go wrong? A common failure is that organizations implement controls but do not maintain them. For example, a company buys a next-generation firewall but never updates its firmware or reviews its rule base. That is not due care; it is a false sense of security. Another failure is relying on a single control, like antivirus, while ignoring patching or access controls. Due care requires a layered defense.

Professionals need to know that due care is not just about avoiding legal trouble; it is about building a security culture. When due care is practiced consistently, it becomes part of everyday operations. New employees are onboarded with security training, changes go through a change management process, and incidents are documented and learned from. This culture is what makes an organization resilient.

Finally, remember that due care is a standard that evolves. What was reasonable five years ago may not be reasonable today because threats and technology change. Staying current with industry standards like NIST or ISO 27001 helps ensure that your due care program remains defensible. As an IT professional, your role is to advocate for continuous investment in security, not as a cost, but as a fundamental part of due care.

Memory Tip

Care comes after the deal: Due Diligence is the research before the decision (the 'deal'), Due Care is the protection after the decision. Care = ongoing action.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between due care and due diligence?

Due diligence is the investigation and analysis performed before making a decision, such as vetting a vendor. Due care is the ongoing implementation and monitoring of security controls after the decision is made. They are two sides of the same coin, but one is proactive research and the other is continuous action.

Is due care a legal requirement?

Yes, in many jurisdictions, due care is a legal standard. If an organization fails to exercise due care and suffers a data breach, it can be found negligent and held liable for damages. Regulations like GDPR, HIPAA, and PCI DSS essentially codify due care requirements.

Can a small business afford to practice due care?

Absolutely. Due care is about reasonableness, not spending a lot of money. A small business can demonstrate due care by using free or low-cost tools, implementing strong passwords, training employees, keeping software updated, and backing up data. The key is to be proactive and document your efforts.

How do I prove that my organization practices due care?

You prove due care through documentation: risk assessments, security policies, training records, patching logs, incident reports, and audit results. In a legal or regulatory investigation, these documents serve as evidence that you took reasonable steps to protect data.

Does due care require me to implement every security control available?

No. Due care only requires controls that are reasonable and appropriate for your organization's size, industry, and risk profile. You do not need a military-grade security system for a small retail store. The standard is what a prudent organization in your situation would do.

What happens if I fail to exercise due care?

Failing to exercise due care can lead to legal negligence claims, regulatory fines, loss of customer trust, and increased costs from breach remediation. In some cases, executives or IT professionals can face personal liability if they knowingly ignored security risks.

Is due care the same as compliance?

No. Compliance means following specific rules, but due care is broader. You can be compliant with some regulations and still fail due care if you ignore other obvious risks. For example, you might comply with PCI DSS but still fail to train employees on social engineering, leaving you vulnerable.

Summary

Due care is a foundational concept in information security that represents the legal and ethical duty to take reasonable steps to protect sensitive data and systems. It is not about perfection or eliminating all risk; it is about being proactive and doing what a prudent organization would do under similar circumstances. This includes identifying assets and risks, implementing appropriate controls, training employees, monitoring systems, and continuously improving security practices.

Why does due care matter? Because failing to exercise due care can result in legal negligence, massive fines, lawsuits, and irreparable damage to an organization's reputation. For IT professionals, understanding and applying due care is essential for building trust with customers and for defending your organization in the event of a breach. It is not just a concept for the legal team; it is a daily discipline for everyone involved in securing information.

For exams like CISSP, Security+, and ISC2 CC, due care is a regularly tested topic. You must be able to distinguish it from due diligence, recognize it in scenario-based questions, and understand its legal implications. The key exam takeaway is that due care is the ongoing, active protection of assets, supported by documentation and continuous improvement. Master this concept, and you will be better prepared for both the exam and your career in IT security.