Certified: The Security+ Prepcast

Compliance is not a one-time task. It is a continuous process that requires monitoring, documentation, and action. It requires organizations to show—not just say—that they are doing the right things for the right reasons. In this episode, we begin a two-part series on effective compliance monitoring. Today, we focus on two essential foundations of a well-monitored compliance program: due diligence and due care, and the use of attestation and acknowledgement to formally document compliance activities.
Let’s begin with due diligence and due care. These two concepts are often discussed together, but they serve different roles in compliance.
Due diligence refers to the research and investigation performed before an action is taken. It is a proactive process. In the world of cybersecurity compliance, due diligence involves identifying risks, reviewing policies, evaluating third-party vendors, conducting internal audits, and ensuring that business decisions are made with a full understanding of their potential security impact.
For example, if your organization is evaluating a new cloud service provider, due diligence would involve reviewing the provider’s certifications, requesting penetration test summaries, reading through their service-level agreements, and checking whether they comply with relevant regulations like the General Data Protection Regulation or the Health Insurance Portability and Accountability Act. Due diligence happens before you sign a contract. It is about avoiding mistakes before they happen.
Due care, by contrast, refers to the steps you take after a decision is made to protect assets, enforce controls, and demonstrate responsible behavior. It is about ongoing attention and effort. For example, once that cloud provider is in use, due care would involve monitoring access logs, applying patches, training staff, reviewing incident reports, and ensuring that data transfers meet policy requirements.
Due diligence is the thought that goes into choosing wisely. Due care is the effort that goes into managing wisely. Together, they form the basis of responsible cybersecurity governance.
Let’s consider a practical scenario. A healthcare organization is rolling out a new digital platform for managing patient data. Before implementation, the compliance team performs due diligence by evaluating the vendor’s security practices, confirming regulatory alignment, and reviewing third-party audit reports. After selecting the vendor and launching the platform, the organization shifts into due care—enforcing role-based access control, updating training materials, and conducting quarterly reviews of system logs. If a breach were to occur, the organization would be able to demonstrate that it acted responsibly both before and after implementation. This combination of due diligence and due care is what regulators and auditors look for.
Demonstrating due diligence and due care is not just about avoiding mistakes—it’s about proving intent. Regulators understand that no organization is perfect and that breaches happen. What matters is whether the organization made a genuine, documented effort to protect data, meet standards, and reduce risk. When those efforts are visible and traceable, fines may be reduced, legal outcomes may be more favorable, and public trust is easier to maintain.
Another example comes from vendor management. A retail company outsources customer support to a third-party provider. As part of its due diligence, the company ensures that the vendor uses encrypted communication, background-checks employees, and has an incident response plan. Later, when the vendor experiences a minor security incident, the retailer is able to demonstrate that it did its due diligence by requiring those safeguards. It also shows due care by conducting a post-incident review, updating controls, and reinforcing training. As a result, regulators accept the explanation and require no further action. The clear evidence of both due diligence and due care prevented the situation from escalating.
Due diligence and due care are also important when responding to new regulations. Let’s say your country introduces a new law requiring breach notifications within seventy-two hours. Performing due diligence means studying the law, understanding its requirements, and updating your policy. Exercising due care means testing your notification process, conducting tabletop exercises, and ensuring your staff knows how to respond. Compliance is not just about reading the law—it is about building it into your operations.
Now let’s turn to the second topic in today’s episode: attestation and acknowledgement. These are two forms of documentation that support compliance monitoring by capturing formal evidence of individual or organizational responsibility.
Attestation refers to a signed or recorded statement confirming that a task has been completed, a condition has been met, or a control is in place. Attestations can be made by employees, vendors, auditors, or executives. For example, a system administrator might sign an attestation that a critical server was patched by a certain date. A vendor might submit an attestation letter stating that they meet the requirements of the Payment Card Industry Data Security Standard. A chief compliance officer might attest to the accuracy of a report submitted to regulators.
Attestation creates accountability. When someone is asked to confirm, in writing or in a formal system, that they did something, they are more likely to take it seriously. Attestations are often required for audit trails, certification renewals, or legal filings. In some cases, providing a false attestation can lead to disciplinary action or legal penalties.
Let’s walk through a real-world example. A manufacturing company is certified under the International Organization for Standardization twenty-seven thousand one standard. To maintain certification, department managers must attest that required training has been completed, policies have been reviewed, and access logs have been checked. These attestations are documented and included in the company’s internal audit file. During a certification renewal review, the auditor requests proof that controls are being followed. The company produces the signed attestations. As a result, the audit proceeds quickly and without issue. The attestation process proved that policies weren’t just written—they were being followed.
Acknowledgement, while similar to attestation, usually refers to confirmation that a person has received, read, or understood a specific policy or document. It is often used in training, onboarding, or policy updates. For example, when a new employee joins a company, they may be asked to sign an acknowledgement form confirming they read and understood the acceptable use policy. If the policy changes later, they may be asked to re-sign the acknowledgement.
This is a simple but powerful tool. If a user later violates the acceptable use policy, the signed acknowledgement form can serve as evidence that they were informed of the rules. It supports disciplinary processes and helps demonstrate organizational compliance in investigations or audits.
Acknowledgements are also used for awareness campaigns. For example, after a phishing training session, employees might be asked to acknowledge that they completed the course and understand the risks of social engineering. This shows that the organization is taking reasonable steps to educate users—a critical part of compliance with many cybersecurity frameworks.
Attestation and acknowledgement are both about documentation—but they serve slightly different purposes. Attestation verifies that something was done. Acknowledgement verifies that something was received or understood. Both are important, and both contribute to a defensible compliance posture.
As you study for the Security Plus exam, remember that due diligence happens before a decision, and due care happens after it. Attestation means confirming actions or facts. Acknowledgement means confirming awareness or receipt of a policy. These distinctions are likely to appear in scenario-based questions that require you to match a behavior or document to the correct term.
Here’s a tip: if a question describes pre-contract reviews or vendor evaluation, think due diligence. If it mentions system patching or staff training, you’re likely dealing with due care. If someone signs a form confirming they performed a task, that’s attestation. If they sign to confirm they received a policy, that’s acknowledgement.
For attestation templates, due care checklists, and downloadable training acknowledgement forms, visit us at Bare Metal Cyber dot com. And for the most complete and trusted Security Plus study resource available, head to Cyber Author dot me and get your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success.