VOICECOM

Control of Outsourced Processes

Internal document
 Procedure Ref : PO-DSIXXX
Version : 0.1
Control of Outsourced Processes Date : 26/09/2020
Page : 2/3

Public Internal Confidential Top Secret

1 Introduction
2 Scope
This procedure sets out how VOICECOM identifies and controls outsourced processes that
may pose a threat to our information security.

3 Revision History
Revision Date Record of Changes Approved By
0.1 09.26.2020 Initial Issue

4 Control of hardcopy versions

The digital version of this document is the most recent version. It is the responsibility of the
individual to ensure that any printed version is the most recent version. The printed version
of this manual is uncontrolled, and cannot be relied upon, except when formally issued by
the <Document Controller> and provided with a document reference number and revision in
the fields below:
Document Ref. Rev. Uncontrolled Copy X Controlled Copy

5 References
Standard Title Description
ISO 27000:2014 Information security management systems Overview and vocabulary
ISO 27001:2013 Information security management systems Requirements
ISO 27002:2013 Information technology - security Code of practice for information security
techniques controls
ISO 19011:2011 Auditing Management Systems Guidelines for auditing

6 Definitions
 an “outsourced process” is a process that is required by VOICECOM, but which
VOICECOM chooses to have performed by an external party

 “staff” and “users” means all of those who work under our control, including
employees, contractors, interns etc.

 “we” and “our” refer to VOICECOM

7 Responsibilities
The <ISMS Manager> and the <Purchasing Manager> are jointly responsible for all aspects
of the implementation and management of this procedure unless noted otherwise.

Control of Outsourced Processes Page 2 of 3

 Procedure Ref : PO-DSIXXX
Version : 0.1
Control of Outsourced Processes Date : 26/09/2020
Page : 3/3

Public Internal Confidential Top Secret

Managers and supervisors are responsible for:

 the implementation of this procedure within the scope of their responsibilities

 informing the <ISMS Manager> about any processes they wish to outsource which
may have implications for information security

 agreeing appropriate controls with the <ISMS Manager>

 implementing the agreed controls

 ensuring that all staff under their control understand and undertake their
responsibilities accordingly.

8 Control of Outsourced Processes

We ensure that outsourced processes that may pose a threat to the information security of
our business are properly identified and controlled.
An ISMS Outsourced Process Register is maintained by the <ISMS Manager>.
When a proposal is made to outsource a new process, which may have implications for
information security, the responsible manager informs the <ISMS Manager> and discusses
the need for any information security related controls.
The <ISMS Manager> determines if the proposed outsourcing poses any threat to
information security and, where a threat is identified, an agreement is reached between the
responsible manager and the <ISMS Manager> on the controls to be implemented.
The <ISMS Manager> ensures that the new agreement is recorded on the ISMS Outsourced
Process Register.
The responsible manager ensures that the agreed controls are implemented and
maintained.
Note that the need for placing information security controls on an outsourced process, may
also be identified during internal / external audits.

9 Records
Records retained in support of this procedure are listed in the ISMS Controlled Records
Register and controlled according to the Control of Management System Records
Procedure.

Control of Outsourced Processes Page 3 of 3