PhD ThesisSeveral sources of constraints, such as business, financial and legal, can lead
organisations to outsource some of their IT services. As a consequence, different
security risks may be introduced, such as confidentiality, integrity and
availability risks. Analysing and managing the potential security risks in the
early stages of project execution allow organisations to avoid or mitigate the
impact of these security risks. Several organisations have adopted ISMS
standards and frameworks in an endeavour to manage outsourced IT project
security risks. In this thesis, existing ISMS standards and frameworks have been
reviewed and analysed to assess their ability to effectively manage the security
and compliance risks of outsourced IT projects and satisfy their security needs.
The review reveals that existing ISMS standards and frameworks represent only
general security recommendations and do not consider variation in security
requirements from one organisation to another. There is also a lack of adequate
guidance for implementing or complying with these standards and frameworks,
and they are not designed to manage the security and compliance risks of
outsourced IT projects. To overcome these weaknesses, a new framework has
been introduced. The framework is a structured approach that is designed to
manage variation in security requirements, as well as provide a methodology to
guide organisations for the purpose of security management and implementation.
The framework was evaluated using different evaluation methods including a
focus group, questionnaire, and case study, which were also used to generate
recommendations and suggestions for improvements. The evaluation results
confirmed that the framework provided the participants with an effective
approach for managing security and compliance risks in the outsourcing context.
It was understandable, easy to use, and independent from different constraints
such as project size, cost or execution time. The framework is now ready to be put
into practice by organisations that intend to outsource their IT services partially
or totally