What's the difference between "Due Care" and "Due Diligence"?

Question

Can someone please explain the difference between "due care" and "due diligence"? They seem very similar to one another and after researching more and more, I'm getting confused.

One tech book described it like this:

Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization. Operational security is the ongoing maintenance of continued due

And yet, other online resources have described it like this:

Due diligence is performing reasonable examination and research before committing to a course of action. Basically, "look before you leap." In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be "haphazard" or "not doing your homework."

Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is "negligence."

and still another person online phrased it as:

Due Diligence: Performing the necessary research
Due Care: Performing the actions identified as necessary from due diligence

These definitions all seem to be a little different from one another. Help?

Answer 1

The issue is somewhat complicated by the fact that "due diligence" has a distinct, legal meaning in contract law, but since OP added the CISSP tag, I'll confine this answer to the usual meaning in that context.

Simply put "due diligence" is what you know, and "due care" is what you do. Absence of "due care" might open you or your company to legal consequences (e.g. not following the law about data protection) while absence of "due diligence" would be more likely to open you up to making a bad decision or business deal.

"Due diligence" can also cover the verification (knowing) that "due care" actions have been carried out. This is where most folks get confused. The point is, "diligence" is about knowledge. Knowledge of right- or wrong- doing (care). Have you done your research? Do you know where your assets are? Are your policies being followed? Answering those questions are all "due diligence."

"Due care" covers activities like following the policies, applying the patches, encrypting the data as required by law.

Frequently the data custodians are more concerned with exercising "due care" in handling data. Data owners, and management, are frequently more concerned with "due diligence" (e.g. are the policies being followed, and has 'due care' been exercised when handling data).

With these ideas in mind, you can re-read the examples cited above, and perhaps they will make a bit more sense together.

It can be a subtle distinction, but its an important one.

Full disclosure: I've only had my CISSP for about five months. I don't claim my answer is perfect.

Answer 2

I like @JesseM's response above and have accepted it as the answer for this question. That being said, I wanted to post one more response that I just found recently in a test prep book:

Due care is using reasonable care to protect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort.

For some reason, that resonates well with me.

Answer 3

I'm currently writing a manual, and I have been doing my research on the distinctions between the terms.

It's true, there are conflicting opinions and definitions, so much so that, for my purposes, I consider them terms of art, and will say so as I present my material.

That said, I see them as feedback loops, and will conceptualize them as such for best practice--diligence (gathering relevant and sufficient information with which to best act); care (implementing best act(s)) in a timely, complete, and compliant manner; back to diligence (monitoring and measurement)

I am well aware that this may not be the 'classical' definition; but after much reading, there doesn't seem to be a standard definition, particularly between disciplines.