Choosing the right outsourcing service provider is no easy decision. For this reason the German Federal Office for Information Security (BSI) has issued a guide to selecting the right service provider (https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/m/m02/m02252.html). You can divide the search for the right outsourcing service provider into three steps: define your own requirements, select an offer and contract negotiations. The last step can also be partly seen as the offer negotiation before the final selection of a provider.
Before you begin to contact potential outsourcing service providers, it is useful to internally set up a requirement profile. The BSI recommends basing it on specifications. The requirement profile should contain the following:
A description of your outsourcing project, as detailed as possible, including the task requirements of the service provider
The key figures that you will use to measure the performance and quality of the service provider
What you expect from this step.
In addition, you should also consider how you imagine the collaboration should take place. The requirement profile can then help you ask about the important points when requesting proposals. And if you write out your project, the requirement profile can be used as the basis for the invitation to tender.
When you get in touch with an outsourcing service provider, you should consider if you would like to use a non-disclosure agreement during the offer negotiations. This can be important if your internal security mechanisms are a critical part of your business performance and must not reach a third party. Ultimately you need to talk to your service provider about security measures for data exchange.
If you have multiple offers, the following list of selection criteria can help you make a decision:
Reliability – you want to work only with the best, know your data is secure and avoid the risk of bankruptcy. If the provider has an ISO 27001 or ISO 9000 certification, that would also be helpful. You can also ask them where their servers are located. This is good if they are outside at different locations, as it means your data will be safe from things such as fire, for example. If the outsourcing service provider is prepared for worst case scenarios (what, when and where can something happen and what to do), you can assume that they have a comprehensive security concept.
References – check the provider’s previous clients. If they have already completed many projects in their industry, this shows experience. There could also be conflicts of interest if the outsourcing service provider also works for competition. Look for customer reviews and ratings on benchmarking portals.
Scalability – while smaller companies can run the risk of bankruptcy, larger companies should bear in mind that they have many clients and projects, and individual customers are often of no consequence. Complete outsourcing of IT should be given to a large outsourcing service provider. Selective outsourcing, as it often happens in small and medium-sized enterprises (SMEs), is often better off in the hands of small, specialized providers. They understand the requirements and wishes of SMEs due to their own size.
Transparency – make sure your provider gives you a fixed contact, and gives you the feeling of that they are answering your questions openly and honestly. Ask about the qualifications of the employees and the representation provisions. For example, if you hire a developer in India through an outsourcing service provider in Europe and the developer becomes ill, who will take over their work? Ask about availability. Is there continuous support at all times on all days of the week? For providers abroad there are often special regulations that must be observed, for example, spying risks and foreign legislation. It is easier to look for a European-based contractor.
It is often useful to give a small project to the potential outsourcing service provider. If you are then satisfied with the cooperation, you can extend it.
In a contract with an outsourcing service provider you should clearly outline the verifiable obligations of the provider. Make sure that the contract contains your individual customer needs and the required services.
Set who will assume the tasks, which measures should be taken to protect your data and the measurement criteria for quality and performance.
If you want a long-term cooperation, pay attention to expansion possibilities and, if necessary,to the special conditions in the contract. And if the service provider develops their own systems, also consider necessary interfaces to your existing systems.
Also documentation and maintenance should be considered. Create service level agreements (SLA). The duty of cooperation and confidentiality rules should also be laid out in writing.
Language barriers can arise during the drafting of the contract with foreign outsourcing service providers, especially when it comes to detailed problems. A German and English speaking partner is then incredibly helpful.
Finally, a contract with an outsourcing service provider should include also an exit strategy. When happens when terminating the contract? What is handover like?