Security when outsourcing: concepts, constructs, compliance

As the ownership and management of information technology (IT) is increasingly put out at contract, information security turns out to be an essential issue to address in any outsourcing process. The authors analyse present concepts for both the demand side and the supply side of the market for external facilities management. They propose a cyclic approach related to British Standard 7799 allowing the service provider and his client clearly to define respective responsibilities in the construct of a formal security agreement, part of the general agreement between the service provider and his client. Such a security agreement stems from an assessment of the client’s IT environment; compliance with the security agreement is tested by a formal review to be conducted by an impartial evaluator.