S 2.252 Choice of a suitable outsourcing service provider

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT, Top Management

When choosing a suitable outsourcing service provider as detailed a requirements profile as possible and a requirements specification based on this are critical factors for success. This is the only way to ensure the request for tenders meets the actual needs and that suitable service providers respond to it.

The request for tenders should contain the following:

• a description of the outsourcing project (description of tasks and division of tasks)
• a description of the requested quality level which does not necessarily need to correspond to the level of the client

The following must be communicated in detail to the potential service providers, in addition:

• the requirements regarding the information security, and
• the criteria for measuring the service quality and security

(see S 2.251 Specification of the security requirements for outsourcing projects). In individual cases it may be necessary to release the detailed requirements regarding security to the service providers only in exchange for a non-disclosure agreement since they contain information on existing or planned security mechanisms.

The requirements profile depends greatly on the type of the outsourcing project. Important general evaluation criteria for the service provider and its personnel can include:

Requirements for outsourcing service providers

• In case of foreign service providers special aspects need to be taken into account. These include, for example: foreign legislation, different liability regulations, risk of espionage, different security culture, security mechanisms which are permitted by the local legislation and can therefore be used in the partner company.

• The size of the service provider may be an argument when making a choice. Smaller companies may pose a higher risk of insolvency. In case of larger companies it must be taken into account that they have a large number of clients and projects so that an individual client is only one among many and does not have a preferred position.

• The service provider should be able to provide references for similar outsourcing projects. Attention should be paid to potential conflicts of interest due to business relationships with competitors of the client and to the independence from certain manufacturers (e.g. suppliers who are competitors of the client).
• The references should also be examined, at least on a random basis This means that contacts from similar projects specified in the references should be contacted to obtain information on the project performance from the point of view of the client.

• The organisational form of a service provider may be taken into account as this may affect the limits of liability, for example. Research should be done regarding the ownership structure in order to clarify potential influencing factors in advance.

• The client structure should be taken into account as this provides information on in which industrial sector the provider's strengths lie.

• A quality assessment and/or certification, e.g. according to ISO 27001 based on IT-Grundschutz or ISO 9000 is a reasonable requirement.

• Information on the current economic situation and expectations regarding the future business development of the service providers should be obtained.

Requirements for employees

Various requirements should also be placed on the employees of a service provider (see also S 2.226 Procedures regarding the use of outside staff and S 3.33 Security vetting of staff).

• The qualification of the employees must be included in the evaluation of the offers. After the project has been commissioned it must be observed whether the employees identified in the offer are actually employed later on.

• The number of employees available must be evaluated. Substitution arrangements and working hours should also be examined.

• When choosing foreign partners a common language must be specified for communication between the client's own employees and those of the service provider. In this context, it should also be examined whether the existing language skills are sufficient when it comes to clarifying detailed problems. Experience has shown that many people prefer to remain silent when it comes to important questions if they consider their language skills not to be perfect.

• Depending on the security level required for the outsourcing project, the evaluation of the offers should take into account whether a vetting of the employees is available and/or whether such vetting can be executed.

Review questions:

• Does a requirements profile which contains the security requirements for the outsourcing project exist for choosing the outsourcing service provider?
• Have evaluation criteria for the outsourcing service provider and their personnel been specified based on the security requirements of the outsourcing project?