1. Know what you're outsourcing. Assess internal controls and policies and decide what level of risk management needs to be extended to the outsourced process (more, less, equal and so on). Remember that most accountability and almost all reputational risk cannot be outsourced. The Veterans Administration didn't directly lose patient insurance data in August 2006, their subcontractor Unisys didbut the VA was the one affected.
 
2. Understand risks and dependencies. Learn about regulations and compliance controls of the country, financial stability, geographic risks (flood zone, power grid stability) and legal recourse options.
 
3. Assess outsourcer's risk management level. Review outsourcer's policies and procedures as well as any key audit findings (for example, SAS70 Type II, BS7799/ISO27001 cert, and so on). For application outsourcing, review the outsourcer's SDLC and how code and application testing is performed.
 
4. Ask about training and background checks of personnel. Assess experience level of employees. Look for checks of any past criminal behavior.
 
5. Ensure data is protected appropriately. Review access control policies and technologies to ensure only authorized access to data and systems, review physical and virtual separation controls, restrict outsourcing by outsourcing, review data lifecycle management processes and encryption procedures (creation, storage, destruction).
 
6. Request transparency for monitoring and controlling data and services housed at outsourcing vendor. Here's some to consider: Daily or weekly reporting and audit log reviews, remote admin rights to monitor log files.
 
7. Create clear and explicit service-level agreements (SLAs) and have legal review them. Reserve "right to audit" (physical/logical) clauses, escalation path and altering process, quantify remuneration for data loss or service down time.