The business benefits that can be achieved have dominated the considerations as to whether or not to outsource information systems (IS). Very little attention appears to have been given to the compromises in IS security and control that follows such a move. Evaluates the loss in IS security and control when IS outsourcing occurs and proposes a new security framework for such a situation. Under IS outsourcing the emphasis changes from the physical protection of assets to the recovery of these resources, and application controls become less important relative to general controls. To be successful, the security and control framework for IS outsourcing needs to be integrated into the broader relationship that exists with the outsourcing vendor.