Organizations need to develop a strategy for understanding and managing these risks, which are dynamic and fluid. There is an inverse relationship between the degree of control and ownership and the amount of risk; the risk associated with outsourcing increases as the degree of ownership and control over business processes is diminished. That said, risks can be effectively managed with governance programs and with program management offices that provide oversight and management of all elements of the outsourcing initiative. Whether outsourcing a specific function or a range of operations, attention must be paid to ensure that all aspects of the decision are analyzed and documented. Various outsourcing lifecycles to manage outsourcing initiatives have emerged as organizations increasingly participate in outsourcing activities. N early all of them share a common theme: information security controls need to be part of any and all outsourcing activities.

Information security professionals often speak of an "information security outsourcing lifecycle." This approach to outsourcing, that is, examining the lifecycle from an information security practitioner's perspective, typically is not adopted by most organizations, as the decision to outsource is a business decision driven by a focus on cost savings not necessarily risk management. Instead a more effective approach to ensure that information security risk is addressed is one where information security practitioners integrate their requirements and recommendations into the "business" outsourcing life cycle process.

The likelihood of an organization following a methodical and logical process to manage its outsourcing/off-shoring efforts depends on the organization's maturity in this space. Most organizations do not have a formal, documented process for managing outsourcing/ off-shoring. And generally, information security professionals are not engaged, if they are engaged at all, until well into the process.

In an effort to manage the extremely high cost to organizations associated with retro-fitting information security controls into an outsourced/off-shored agreement, organizations are increasingly searching for best practices and adopting an outsourcing/ off-shoring life cycle that is a series of methodical steps which, if followed, can streamline the process of engaging a third party to provide services for an organization.

The lifecycle outlined below represents a common sense view to help manage the complexities associated with outsourcing. Although there is no "one size fits all" solution for effectively managing outsourcing initiatives, following the steps while customizing them to suit the organization's particular culture, may lead to effective outsourcing.

The Outsourcing Lifecycle has four overarching stages each with its own series of actions. These include: Preparation, Implementation, Operation and Review.