S 2.475 Contractual arrangements when appointing an external IT security officer

Initiation responsibility: Top Management

Implementation responsibility: Top Management

The following information must be taken into account if an external IT security officer is appointed.

Especially in small companies or public agencies it may be useful not to assign the role of the IT security officer to an internal employee but to use the service of an external IT security officer. Initially a suitable, qualified expert for information security must be selected for this purpose. Information on the required qualifications, and on the function and the responsibilities of an IT security officer can be found in the BSI-Standard 100-2 and in safeguard S 2.193 Establishment of a suitable organisational structure for information security..

Before appointing an IT security officer, a contract must be entered into between the service provider and the organisation which must specify the responsibilities of the external IT security officer and the mutual rights and obligations as precisely as possible. The appointment of an external IT security officer is therefore a special form of outsourcing.

The following aspects should be regulated by the contract at a minimum:

• requirements in terms of the qualification of the external IT security officer
• substitution arrangements and minimum resources
• responsibilities the external IT security officer must take on
• reporting and escalation paths, contact people (roles)
• integration in communication channels of the contracting organisation
• workplaces, rooms, and times during which the IT security officer will be at the organisation and when he can be reached
• site access, system access, and data access rights
• rights and obligations to report to the management of the contracting organisation
• duties to cooperate of the contractor
• non-disclosure agreement
• conflicts of interest
• consequences of breach of contract
• provisions for termination of the contract, e.g. handover of responsibilities and documents
• cost

The contract must oblige and enable the IT security officer to fulfil his responsibilities at least as well as an internal IT security officer.

If the service of an external IT security officer is used module S 1.11 Outsourcing must be applied in addition. Safeguard S 2.226 Procedures regarding the use of outside staff must be followed in particular.

Review questions:

• If an external IT security officer was appointed: Does the service contract entered for this purpose cover all responsibilities of the IT security officer and the associated rights and obligations?
• If an external IT security officer was appointed: Does the IT security officer have the required qualifications?
• If an external IT security officer was appointed: Does the service contract entered for this purpose allow for controlled termination of the contact including handover of the responsibilities to the contractor?
• If an external IT security officer was appointed: Does the service contract entered for this purpose contain an appropriate non-disclosure agreement?