S 2.252 Choice of a suitable outsourcing service provider

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT, Top Management

When choosing a suitable outsourcing service provider as detailed a requirements profile as possible and a requirements specification based on this are critical factors for success. This is the only way to ensure the request for tenders meets the actual needs and that suitable service providers respond to it.

The request for tenders should contain the following:

The following must be communicated in detail to the potential service providers, in addition:

(see S 2.251 Specification of the security requirements for outsourcing projects). In individual cases it may be necessary to release the detailed requirements regarding security to the service providers only in exchange for a non-disclosure agreement since they contain information on existing or planned security mechanisms.

The requirements profile depends greatly on the type of the outsourcing project. Important general evaluation criteria for the service provider and its personnel can include:

Requirements for outsourcing service providers

Requirements for employees

Various requirements should also be placed on the employees of a service provider (see also S 2.226 Procedures regarding the use of outside staff and S 3.33 Security vetting of staff).

Review questions: