What is due diligence versus due care in information security?

Due diligence is the process of researching, understanding, and assessing risks before making decisions, essentially doing your homework. It involves identifying threats, evaluating controls, and understanding legal requirements. Due care is the ongoing implementation and maintenance of reasonable security measures based on what due diligence revealed, essentially acting responsibly. A company that conducts a risk assessment performs due diligence. A company that implements and maintains the controls identified by that assessment practices due care.