IT Due Diligence Before Signing a New Client

Taking on a new client is a commercial win. It can also carry IT risks your firm hasn’t yet addressed.

Most consultancy firms conduct thorough due diligence on the clients they take on. Commercial teams are reviewed, scope is agreed upon, and risk is assessed. What rarely happens is a structured review of the firm’s own IT posture before that client relationship begins.

When a new client is onboarded, the exposure doesn’t sit with the client alone. It sits with your firm. Their data enters your systems, and their information is handled by your people.

If your IT environment isn’t ready, the risk introduced to them, and to your existing clients, is real and largely invisible until something goes wrong.

This blog looks at what consultancy firms should be verifying on their own side before they take on new work and why most never ask the question.

The Blind Spot in Consultancy Risk Management

Consultancy firms are experienced at identifying and managing risk. It’s a core part of what many of them sell. When it comes to IT risk specifically, the instinct is usually defensive: protecting existing client data, maintaining compliance, responding to incidents.

The pre-onboarding question is more specific. It asks:

• Is our IT environment genuinely capable of handling a new client relationship safely?
• Do we have the controls in place to segregate their data from other clients?
• Can we manage their access securely?
• Do we have the onboarding workflows to do this at pace without cutting corners?

These are questions most firms don’t ask in a structured way. They should.

Why the Risks Are Greater Than Most Assume

Taking on a new client doesn’t just add a folder to your server. It introduces new data, access requirements, communication channels, and compliance obligations, often simultaneously.

If the underlying IT infrastructure isn’t built to absorb that complexity, the risks compound quickly. The areas that create the most exposure include:

• Data segregation: Client data must be logically separated from the outset. Shared drives, group email inboxes, and loosely managed folders are common in consultancy environments, and they create genuine risk when multiple clients’ sensitive information lives in proximity.
• Access controls: New clients typically require access to shared resources, portals, or collaboration tools. Without a clear onboarding process for provisioning and scoping that access, permissions are often granted too broadly and remain in place too long.
• Compliance readiness: Some clients will bring specific data handling requirements like sector-specific regulations, contractual obligations, or UK GDPR considerations. A consultancy that hasn’t mapped its own compliance posture can inadvertently take on obligations it isn’t equipped to meet.
• Third-party risk: Consultancy work frequently involves third parties, whether subcontractors, technology platforms, or specialist advisers. Each connection point is a potential vulnerability. If your onboarding process doesn’t account for this, the client bears the consequences of weaknesses that exist in your supply chain.

The 2026 Verizon Data Breach Investigations Report found that third-party involvement in breaches has risen to 48% of all incidents, up 60% year on year.

Consultancy firms sit squarely within that third-party category from their clients’ perspective. The implications of poor IT readiness at onboarding extend well beyond the new relationship.

What Good IT Due Diligence Looks Like Before Onboarding

The goal is to make sure your firm can handle new work without creating risk for the client you’re bringing on or for the clients you already serve. A structured pre-onboarding IT review should cover the following areas:

• Data segregation architecture: Can you guarantee that the new client’s data will be held and handled separately from other clients? This includes file storage, email, communication platforms, project management tools, and any shared infrastructure.
• Access provisioning process: Do you have a documented, repeatable process for setting up client access? This should define what access is granted, to whom, under what conditions, and when it is reviewed and revoked.
• Compliance mapping: Have you understood the data classification and regulatory requirements that come with this client? Different sectors, and different types of engagement, carry different obligations under UK GDPR, the Data Protection Act 2018, and sector-specific frameworks.
• Endpoint and device standards: Are all devices that will be used to handle this client’s data compliant with your security baseline? This becomes more relevant when teams are distributed, using personal devices, or working across client sites.
• Incident response readiness: If something goes wrong, do you have a process for notifying this client? Does your incident response plan account for the specific data types you hold on their behalf?
• Third-party and subcontractor risk: If any aspect of this engagement involves external parties accessing client data, have those third parties been assessed for their own cyber security posture?

The Onboarding Workflow Gap

Alongside the technical controls, there’s an operational question that firms rarely address: does your IT team have visibility of new client onboarding before it happens?

In many consultancy firms, IT is brought in after a client relationship is already established. Access is set up reactively, data handling arrangements are improvised, and the compliance review happens retrospectively, if at all.

Closing this gap requires a simple structural change: IT due diligence becomes part of the pre-contract process. Before an engagement begins, a checklist is completed, gaps are identified, and the firm makes a conscious decision about readiness.

What This Looks Like in Practice

The checklist that accompanies this blog sets out the specific checks a consultancy should carry out before signing a new client.

Each item maps directly to the risk areas covered in this blog, giving your team a practical reference point at the start of every new engagement.

It’s designed to be completed quickly, used consistently, and shared with those responsible for both business development and IT governance.

Download the IT Due Diligence Checklist here: [link to checklist]

The Reputational Dimension

The reputational stakes are straightforward. A breach involving a new client’s data, particularly in the early stages of a relationship, is difficult to recover from.

Clients in management, HR, financial, and strategy consultancy hand over confidential, commercially sensitive data as a matter of course. The firms they choose to work with are trusted precisely because they are expected to handle that data carefully.

Demonstrating that trust through verifiable IT controls, documented processes, and consistent onboarding practice is increasingly what clients expect to see.

Book a Consultation with Adam

If you’re not certain your IT environment is ready to take on a new client safely, that conversation is worth having before it becomes a problem.

Book a consultation with Adam to review your firm’s IT posture and identify any gaps before they create risk for you or your clients.