Managing information security risk in outsourced information services

The risk

During the pre-contract phase, we identified a high Information Security Risk related to the third party’s handling of confidential information. The risk concerned the potential unauthorised disclosure, corruption, or loss of data due to insufficient security and privacy controls at the vendor level. Given the criticality of the service, the potential impact was assessed as high, with reputational damage, regulatory non-compliance (e.g. GDPR), and operational disruption as key concerns.

The TPRM approach

Using a structured Third-Party Risk Management (TPRM) approach, the PACT team performed a data-driven risk assessment based on likelihood and impact, creating a clear risk prioritisation. Information security controls, data protection measures, and incident response capabilities were reviewed before contract signature. The risk function worked closely with sourcing, legal, and IT stakeholders to ensure that security expectations were explicitly defined and measurable throughout the contract lifecycle.

Risk mitigation measures

To mitigate the identified risk, the client implemented preventive measures including:

• Mandatory data protection and confidentiality clauses in the contract
• Clear audit and reporting rights regarding information security controls
• Defined responsibilities for incident management and breach notification
• Ongoing monitoring of the vendor’s security posture during service delivery
• These measures significantly reduced the likelihood and impact of a potential security incident.

The outcome

By embedding TPRM into its information services sourcing process, the client strengthened control over third-party risks while maintaining agility in its digital transformation. The organization achieved improved resilience, regulatory confidence, and greater assurance over the protection of sensitive information—demonstrating how proactive TPRM enables growth while reducing exposure to critical information security risks