Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Due Care

Training Camp • Cybersecurity Glossary

What is Due Care?

The reasonable level of prudence and precaution an organization is expected to take to protect systems and data - the ongoing "prudent person" standard whose absence can mean negligence.

Glossary > Governance, Risk & Compliance > Due Care

Due Care — The reasonable level of prudence and precaution an organization is expected to take to protect systems and data

Understanding Due Care

Due care is the legal and security concept describing the reasonable judgment, prudence, and precautions an organization is expected to exercise to protect systems and data from foreseeable threats. It is the ongoing practice of acting as a reasonable, prudent person would under the circumstances; failing to do so can constitute negligence and create legal liability.

Due care operates as a standard of conduct measured against what peers and regulators consider reasonable. It is closely tied to due diligence: due diligence is the investigation and assessment of risks (gathering the facts), while due care is the action of putting and keeping protective measures in place based on that understanding. In practice an organization demonstrates due care by maintaining security policies, deploying and operating controls, patching systems, training staff, performing risk assessments, and monitoring for emerging threats - and documenting all of it.

Due care matters because courts, regulators, and contractual partners judge an organization's response to incidents against this standard. Demonstrable due care can limit liability after a breach and is implicit in frameworks such as ISO/IEC 27001 and the NIST Cybersecurity Framework, which expect risk-based, continuously maintained controls. Without it, an organization that suffers a foreseeable breach may be found negligent, facing fines, lawsuits, and reputational harm - regardless of whether it had paper policies.

For example, a cloud service provider exercises due care by keeping systems current with security patches, enforcing access controls and encryption, conducting regular vulnerability testing, training employees on phishing, and maintaining compliance with relevant standards. If a breach later occurs despite these reasonable, documented measures, the provider can show it acted prudently. A competitor that ignored known critical patches for months would, by contrast, struggle to show due care and would more likely be deemed negligent.

Learn More About Due Care:

Ready to Get Certified?

Due Care is one of the topics you'll master in the CISSP Boot Camp.

CISSP Boot Camp →