{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,6]],"date-time":"2026-02-06T21:03:31Z","timestamp":1770411811543,"version":"3.49.0"},"reference-count":28,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2006,10,1]],"date-time":"2006-10-01T00:00:00Z","timestamp":1159660800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2006,10,1]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>This paper seeks to provide an overview of the major technical, organizational and legal issues pertaining to the outsourcing of IS\/IT security services.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>The paper uses a combined socio\u2010technical approach to explore the different aspects of IS\/IT security outsourcing and suggests a framework for accommodating security and privacy requirements that arise in outsourcing arrangements.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>Data protection requirements are a decisive factor for IS\/IT security outsourcing, not only because they pose restrictions to management, but also because security and privacy concerns are commonly cited among the most important concerns prohibiting organizations from IS\/IT outsourcing. New emerging trends such as outsourcing in third countries, pose significant new issues, with regard to meeting data protection requirements.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>The paper illustrates the reasons for which the outsourcing of IS\/IT security needs to be examined under a different perspective from traditional IS\/IT outsourcing. It focuses on the specific issue of personal data protection requirements that must be accommodated, according to the European Union directive.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220610707421","type":"journal-article","created":{"date-parts":[[2006,10,10]],"date-time":"2006-10-10T09:44:09Z","timestamp":1160473449000},"page":"403-416","source":"Crossref","is-referenced-by-count":20,"title":["A framework for outsourcing IS\/IT security services"],"prefix":"10.1108","volume":"14","author":[{"given":"Maria","family":"Karyda","sequence":"first","affiliation":[]},{"given":"Evangelia","family":"Mitrou","sequence":"additional","affiliation":[]},{"given":"Gerald","family":"Quirchmayr","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2022031720111984200_b1","doi-asserted-by":"crossref","unstructured":"Allen, J., Gabbard, D. and May, C. (2003), Outsourcing Managed Security Services Authors, Software Engineering Institute, Carnegie Mellon.","DOI":"10.21236\/ADA412014"},{"key":"key2022031720111984200_b2","unstructured":"Basel II Risk Management Committee of European Banking Supervisors (2005), CEBS CP 10, Guidelines on the Implementation, Validation and Assessment of Advanced Measurement (AMA) and Internal Ratings Based (IRB) Approaches, July."},{"key":"key2022031720111984200_b3","unstructured":"Dammann, U. and Simitis, S. (1997), EG\u2010Datenschutzrichtlinie\u2010Kommentar."},{"key":"key2022031720111984200_b4","unstructured":"Deloitte (2005), Calling a Change in the Outsourcing Market, Deloitte Development LLC, April, available at: www.deloitte.com\/."},{"key":"key2022031720111984200_b5","doi-asserted-by":"crossref","unstructured":"Dhillon, G. (1997), Managing Information System Security, Macmillan Press, Basingstoke.","DOI":"10.1007\/978-1-349-14454-9"},{"key":"key2022031720111984200_b6","doi-asserted-by":"crossref","unstructured":"Dhillon, G. and Backhouse, J. (2000), \u201cInformation system security management in the new millennium\u201d, Communications of the ACM, Vol. 43 No. 7, pp. 125\u20108.","DOI":"10.1145\/341852.341877"},{"key":"key2022031720111984200_b7","unstructured":"DTI (2004), Information Security Breaches Survey 2004, Technical Report, Department of Trade and Industry, London."},{"key":"key2022031720111984200_b8","unstructured":"EUDP (1995), \u201cDirective 95\/46\/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data\u201d, Official Journal L 281, November 23 1995, pp. 31\u201050."},{"key":"key2022031720111984200_b9","unstructured":"EUEC (2000), \u201cDirective 2000\/31\/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services\u201d, in particular electronic commerce, in the internal market (Directive on electronic commerce)."},{"key":"key2022031720111984200_b10","unstructured":"European Commission (1998), Handbook on Cost\u2010effective Compliance with Directive 95\/46\/EC, European Commission, Brussels."},{"key":"key2022031720111984200_b12","unstructured":"Goo, J., Kishore, R. and Rao, H. (2000), \u201cA content\u2010analytic longitudinal study of the drivers for information technology and systems sourcing\u201d, Proceedings of the 21st International Conference on Information Systems, Brisbane, Queensland, Australia, December 10\u201013, pp. 601\u201011."},{"key":"key2022031720111984200_b13","unstructured":"Goodwin, B. (2004), \u201cCompanies are at risk from staff ignorance\u201d, Computer Weekly, 00104787, January 27."},{"key":"key2022031720111984200_b14","unstructured":"Holvast, J., Madsen, W. and Roth, P. (Eds) (2000), The Global Encyclopaedia of Data Protection Regulation, Kluwer Law International, Looseleaf."},{"key":"key2022031720111984200_b15","unstructured":"Kern, T., Lacity, M. and Willcocks, L. (2002), Netsourcing: Renting Business Applications and Services over a Network, Prentice\u2010Hall, New York, NY."},{"key":"key2022031720111984200_b16","doi-asserted-by":"crossref","unstructured":"Khalfan, A. (2004), \u201cInformation security considerations in IS\/IT outsourcing projects: a descriptive case study of two sectors\u201d, International Journal of Information Management, Vol. 24, pp. 29\u201042.","DOI":"10.1016\/j.ijinfomgt.2003.12.001"},{"key":"key2022031720111984200_b17","unstructured":"Kim, S. and Chung, Y. (2003), \u201cCritical success factors for IS outsourcing implementation from an interorganizational relationship perspective\u201d, Journal of Computing Information Systems, Vol. 43 No. 4, pp. 81\u201090."},{"key":"key2022031720111984200_b18","doi-asserted-by":"crossref","unstructured":"Lacity, M.C. and Willcocks, L. (1998), \u201cAn empirical investigation of information technology sourcing practices: lessons from experience\u201d, Management Information Systems Quarterly, Vol. 22 No. 3, pp. 363\u2010408.","DOI":"10.2307\/249670"},{"key":"key2022031720111984200_b19","doi-asserted-by":"crossref","unstructured":"Nosworthy, J. (2000), \u201cImplementing Information Security in the 21st century \u2013 do you have the balancing factors?\u201d, Computers and Security, Vol. 19, pp. 337\u201047.","DOI":"10.1016\/S0167-4048(00)04021-9"},{"key":"key2022031720111984200_b20","doi-asserted-by":"crossref","unstructured":"Palmer, M. (2001), \u201cInformation security policy framework: best practices for security policy in the e\u2010commerce age\u201d, Information Systems Security, May\/June, pp. 13\u201027.","DOI":"10.1016\/B978-187870796-3\/50004-2"},{"key":"key2022031720111984200_b21","doi-asserted-by":"crossref","unstructured":"Rohde, F. (2004), \u201cIS\/IT outsourcing practices of small\u2010 and medium\u2010sized manufacturers\u201d, International Journal of Accounting Information Systems, Vol. 5, pp. 429\u201051.","DOI":"10.1016\/j.accinf.2004.04.006"},{"key":"key2022031720111984200_b23","unstructured":"Sarbanes Oxley Act (2002), H. R.3763."},{"key":"key2022031720111984200_b24","unstructured":"Simitis, S. (Ed.) (2003), Kommentar zum Bundesdatenschutzgesetz, Baden\u2010Baden."},{"key":"key2022031720111984200_b25","doi-asserted-by":"crossref","unstructured":"Siponen, M. (2000), \u201cA conceptual foundation for organizational information security awareness\u201d, Information Management & Computer Security, Vol. 8 No. 1, pp. 31\u201041.","DOI":"10.1108\/09685220010371394"},{"key":"key2022031720111984200_b26","doi-asserted-by":"crossref","unstructured":"Von Solms, B. (2001), \u201cCorporate governance and information security\u201d, Computers and Security, Vol. 20, pp. 215\u20108.","DOI":"10.1016\/S0167-4048(01)00305-4"},{"key":"key2022031720111984200_b27","doi-asserted-by":"crossref","unstructured":"Whitworth, M. (2005), \u201cOutsourced security \u2013 the benefits and risks\u201d, Network Security, October, pp. 16\u201019.","DOI":"10.1016\/S1353-4858(05)70292-0"},{"key":"key2022031720111984200_b28","doi-asserted-by":"crossref","unstructured":"Yang, C. and Huang, J. (2000), \u201cA decision model for IS outsourcing\u201d, International Journal of Information Management, Vol. 20 No. 3, pp. 225\u201039.","DOI":"10.1016\/S0268-4012(00)00007-4"},{"key":"key2022031720111984200_frd1","unstructured":"European Commission (2003), First Report on the Implementation of the Data Protection Directive, European Commission, Brussels."},{"key":"key2022031720111984200_frd2","doi-asserted-by":"crossref","unstructured":"R\u00fcling, C. (2005), \u201cPopular concepts and the business management press\u201d, Scandinavian Journal of Managament, Vol. 21, pp. 177\u201095.","DOI":"10.1016\/j.scaman.2005.02.010"}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220610707421","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220610707421\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220610707421\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:08:59Z","timestamp":1753402139000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/14\/5\/403-416\/174845"}},"subtitle":[],"editor":[{"given":"Sokratis K.","family":"Katsikas","sequence":"first","affiliation":[]}],"short-title":[],"issued":{"date-parts":[[2006,10,1]]},"references-count":28,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2006,10,1]]}},"alternative-id":["10.1108\/09685220610707421"],"URL":"https:\/\/doi.org\/10.1108\/09685220610707421","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2006,10,1]]}}}