Обзор ISO 37500-2014 Guidance on outsourcing

Обзор ISO 37500-2014 Guidance on outsourcing
Начал изучать стандарт ISO 37500-2014 "Guidance on outsourcing", как это понятно из названия, он про аутсорсинг, но рассматривает лишь самые верхнеуровневые и общие вопросы. 
"This outsourcing guidance can help organizations to identify the business case for outsourcing, select the most appropriate partner, transition to the new operating model and make sure that value is delivered through effective governance from the relationship."
"This International Standard:a) covers the entire outsourcing life cycle in four phases and provides definitions for the terms, concepts, and processes that are considered good practice;
b) provides detailed guidance on the outsourcing life cycle, processes and their outputs;
c) provides a generic and industry independent foundation, which can be supplemented and tailored to suit industry-specific requirements;
d) can be used before, during and after the decision is made to outsource;
e) aims to enable mutually beneficial collaborative relationships."
"This International Standard is intended to be used by outsourcing clients, providers and practitioners, such as:
— decision makers and their empowered representatives;
— all stakeholders engaged in facilitating the creation and/or management of outsourcing arrangements;
— staff at all levels of experience in outsourcing."
Что можно найти в документе?

Ну, во-первых, это унифицированные термины:
  • Client - individual or group of organizations entering into an agreement with a provider for products and services for their own use;
  • Outsourcing - business model for the delivery of a product or services to a client by a provider;
  • Outsourcing governance - joint set of structures and processes that are implemented to ensure effective leadership and management, which enables an outsourcing arrangement to achieve its joint objectives within the framework of agreed values;
  • Provider - organization that offers a product or service to a client;
  • Service product - result of activities performed by the provider according to the agreed scope, service levels and client demands;
  • Service catalogue - list of services that an organization provides to its clients or employees;
  • Service level agreement, SLA - documented agreement between the client and provider that identifies services and service targets, including prerequisites for service levels and measures for performance.

Во-вторых, довольно очевидные и простые идеи о ценности аутсорсинга для бизнеса, и новые возможности:

"The benefits of outsourcing can include managing costs, supporting business strategy, accessing capabilities not available in-house, transfer of risks, increasing development opportunities, obtaining flexibility and scalability."

"Around the globe, outsourcing is increasingly an opportunity to add value, tap into a resource base and/or mitigate risk."

"Outsourcing gives organizations several business opportunities. A client’s decision to outsource is typically not driven by a single reason. The following list gives the main reasons why organizations outsource:
a) to manage costs;
b) strategy changes: sometimes an organization redefines its business on what to create internally and what may be provided externally: processes formerly executed internally become eligible for outsourcing;
c) access capabilities that are not available in-house;
d) transfer risks: especially in volatile markets clients may transfer risks by increasing the share of variable cost, e.g. by transferring assets and/or staff benefitting from flexibility and scalability on the provider side."

"The outsourcing process typically starts when the leadership observe an outsourcing opportunity, such as the following:
  • it is clear that current in-house services are too expensive, underperforming, below benchmark levels or provide insufficient opportunities for scalability;
  • an organization is developing a new service with unique specifications and the organization does not have the internal competencies, time, budget or desire to do so: as a consequence, the organization intends to outsource development and delivery to an external provider;
  • if the current provider is delivering services but not meeting agreement terms;
  • current delivery is not or no longer in line with the organization’s strategy and goals;
  • if the outsourcing contract is approaching its expiration date."

А вот еще простая модель про контекст аутсорсинга: 

В-третьих, помимо возможностей аутсорсинга, в стандарте подробно рассматриваются еще и риски: Absence of a strategy, Poor understanding of environment dynamics, Blind focus on cost reduction, Underestimated business impact, Poor cultural compatibility, Poor understanding of the process, Poor relationship management.

В-четвертом, и самое главное, в документе приведена модель жизненного цикла аутсорсинга:
Детальный разбор всех стадий и является основной смысловой частью стандарта. Для каждой рассматривается ее назначение, основные активности, ключевые факторы успеха, основные входы и выходы. 

Ну, и, в-пятых, в документе еще много приложений, хотя большая часть абсолютно бесполезные... Хотя стоит обратить внимание на типовые риски каждой из стадий цикла:
И примеры глав/положений в соглашении между клиентом и провайдером:
 Вот как-то так. 
Alt text

Баги в софте могут влиять на судьбы заключенных в тюрьмах, недобросовестные полицейские находят слабые места в копирайт-защите соцсетей. Смотрите новый выпуск на нашем Yotube канале

Andrey Prozorov

Информационная безопасность в России и мире