S 2.307 Well-ordered termination of an outsourcing service relationship
Initiation responsibility: Top Management
Implementation responsibility: Specialists Responsible, Top Management
As a rule, the recommendations in this safeguard can only be implemented if the contract with the outsourcing service provider already handles all issues relevant to the termination of the contract.
If the service relationship is terminated, responsibility for the affected services, for example IT operations, must be returned to the organisation or transferred to another service provider. Precautions must be taken to ensure that the business activities of the organisation do not become impaired at the end of the service contract.
- The transferral to another service provider should be viewed as a new outsourcing procedure. The safeguards in the outsourcing module must be applied accordingly.
- In the case of insourcing, the relevant safeguards from the outsourcing module should be applied accordingly. The same requirements apply to the strategy, IT security concept for insourcing, migration and contingency planning as to those of a "classic" outsourcing procedure.
The following aspects need to be taken into account:
- The rights of ownership to the hardware and software (interface programs, tools, batch procedures, macros, licences, backups) must be settled.
- The continued use of the tools, procedures, scripts and batch programs by the service provider must be regulated in case the service relationship is terminated.
- IT systems, IT applications and workflows must be adequately documented.
- All necessary data must be transmitted or otherwise passed on by the service provider to the customer.
- All data stored at the service provider must be deleted securely.
- Internal or external employees who take over the tasks of the service provider must be instructed and trained accordingly.
- It is recommended to agree contractually to a transition phase in which the former service provider is still available for questions and support.
Review questions:
- Does the contract concluded with the outsourcing service provider also regulate all aspects of the termination of the service relationship?
- Is it ensured that a termination of the service relationship with the outsourcing service provider does not impair the customer's business activities?