Governance, Risk Management, and Compliance blog

IT Risk Management increases your IT outsourcing success

[fa icon="calendar"] Monday, 03 June 2013 / by Jakob Holm Hansen

IT outsourcing can be a highly positive experience.

You outsource your IT operations to someone who has more experience and expertise and can do it more cost-efficiently.

However, for an outsourcing venture to succeed you will need to have a proper information security risk management process in place. One of the better methodologies you can use, to prevent unnecessary risks, is the information security risk management standard ISO 27005.

If your methodology is in place and a security strategy has been laid out and communicated to both your organisation and outsourcing supplier then you have nothing to fear. But when it isn’t done properly it can hurt your organisation.

The 2013 Trustwave Global Security Report had less than positive news on outsourcing. The researchers discovered that of 450 global data breach investigations, 63% were linked to an outsourcing supplier.

The outsourcing supplier responsible for IT system support, development, or maintenance had neglected or introduced security deficiencies that were easily exploitable.

The results are strikingly similar to a report from 2009, commissioned by VanDyke Software and carried out by Amplitude Research. They discovered that sixty-one percent of their 350 respondents, whose organisations outsourced IT jobs, had experienced an unauthorized intrusion between 2007 and 2009.

In comparison, only thirty-five percent of the companies that did not outsource had dealt with unauthorized intrusions.

Don’t worry, take proper measures Don’t let these numbers scare you. There are many highly professional outsourcing suppliers out there.

Most of the issues reported in the above studies are due to miscommunication between organisations and their outsourcing supplier. The blame can therefore not be placed solely with the supplier, but should instead be shared between both parties.

When IT outsourcing is done correctly it can be highly beneficial for both you and your outsourcing supplier. All you have to do is take the proper steps to ensure a secure and rewarding outsourcing experience.

Where to start? Performing a proper risk assessment can inoculate you against a bad outsourcing decision.

First, consider what areas you want to outsource. Then look into what the potential business impact would be if something went wrong, and whether outsourcing makes you more vulnerable.

The more risk involved, the more you need to vet the potential outsourcing supplier. Our platform can help you with this by, among other things, supplying you with questions that you can present to your potential outsourcing partner.

A recognized security standard, such as ISO 27001 for information security, is a good indicator that the outsourcing supplier takes security seriously, but it is never a guarantee.

You’d also want to check who did the accreditation, as there are some “fast-track certifications.” You also want to check out what parts of the business the certification covers.

Next, you’d want to check if they “practice what they preach,” if they don’t your company name may end up all over the six o’clock news.

Building a trusting relationship This process isn’t just a matter of inspecting their business once or twice. This can take weeks or months. You rely on them to manage risk aspects on your behalf. You need to be certain that they are up to the challenge, and that you understand each other.

Building a mutually understanding and trusting relationship can take time and requires a large amount of diligence on both sides. Both parties must take the time to fully cover exactly how this partnership is to go down.

That way you can minimize misunderstandings and potential security issues. Take the necessary steps and you will be on the road to a positive and beneficial outsourcing experience.

Feel free to give us feedback if you found the list useful or not, or if you have any additions.


PS: Click here to follow us on LinkedIn.


Click here to read more about how our GRC platform can benefit your organisation.

Emner: ISO 27001, IT Outsourcing, Information risk management, Threat assessments, Risk assessments, Outsourcing, SecureAware, ISO 27005

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts