Your Investor Just Asked About Your Security Posture in Due Diligence. What Now?

The term sheet is signed. The diligence pack is being assembled. And the investor's diligence team has just sent over their data security and information governance questionnaire. You are not at the term sheet stage being asked whether you have ISO 27001 in some abstract sense. You are at the diligence stage being asked to evidence your information security controls in front of a fund's operating partners, an external technical consultant, and in many cases a specialist cybersecurity diligence firm hired specifically to review the security posture of every Series B and later target. This is a different question to the procurement questionnaire. The investor is not buying your service. They are pricing the risk of owning your equity for the next five to seven years.

Three structural shifts in the last 36 months explain why investors care about security now. First, LP pressure: Limited Partners in venture and growth funds increasingly require fund managers to evidence security and AI governance diligence at the portfolio level. Second, post-investment cost of breaches: funds have learned, expensively, that a breach at a portfolio company in year one of investment can wipe 30 to 60 percent off the next valuation event. Third, conditions precedent enforcement: funds increasingly use security findings to negotiate down valuations or impose conditions precedent in the share purchase agreement. "The company shall achieve ISO 27001 certification within nine months of completion" is no longer a footnote. It is a cost the founder pays with founder time and consultancy fees during the most operationally intense period of the company's life.

Investor security diligence questionnaires are typically more sophisticated than enterprise procurement questionnaires. They are structured around five themes: governance and accountability (who owns information security at the executive level, what is the reporting line to the board, how often does the board receive a security update), risk management (do you maintain a risk register, how frequently is it reviewed, what is your risk appetite statement), controls and evidence (do you hold ISO 27001, provide your last penetration test report and remediation evidence, provide your incident log for the last 24 months), compliance and regulatory exposure (GDPR evidence, sector-specific regulation, cross-border data transfer mechanisms), and resilience and continuity (RTO and RPO for critical services, last business continuity test, cyber insurance position).

If you do not hold ISO 27001 at the time of the diligence, investors will accept three substitutes in decreasing order of credibility. First, a contracted ISO 27001 implementation in flight: a signed engagement letter with a credible UK consultancy, a documented project plan, and a target Stage 2 audit date. This demonstrates the trajectory and gives the fund's diligence team something to point at in their committee paper. Second, equivalent independent assessment: a SOC 2 Type II report, a recent independent penetration test with full remediation evidence, and a documented internal information security framework aligned to a recognised standard. Third, a credible plan with named accountability: a documented intent to certify with a named consultancy partner and a timeline that completes before the next funding event. What investors will not accept: "We follow industry best practice," "Our cloud provider handles security," or "It's on our roadmap."

If the diligence questionnaire landed this morning and the round closes in three weeks, you have two parallel workstreams to run. Workstream 1: answer the questionnaire honestly and comprehensively, providing evidence where you have it and acknowledging gaps where you do not. Do not bluff. Diligence teams cross-check answers against artefacts and they will catch the bluffs. Workstream 2: sign an implementation engagement this week. The single most material change you can make to your diligence pack between Monday and Friday is to convert "we do not currently hold ISO 27001" into "we have appointed an implementation partner, with kickoff this week and Stage 2 audit scheduled for a specific date." That single sentence shifts the diligence narrative from a finding to a remediation plan.

Founders who certify ahead of a fundraise close on cleaner terms. The diligence questionnaire becomes a routine box-ticking exercise rather than a remediation negotiation. Conditions precedent disappear. Valuation discussions stay focused on commercial metrics. Founders who certify under diligence pressure pay twice: once for the certification itself, and once in the negotiating leverage they hand to the fund by being mid-remediation during the closing process. If you are 6 to 12 months from a fundraise and you do not yet hold ISO 27001, the optimal time to start the project is now, not later.