More of often then not, the contractual agreements between assessor and client and client and service provider together with a “third party waivers” or similar documents do not cover everything that the three parties want to commonly agree upon. After reviewing quite a number of these documents, I decided to write a template agreement (which can be downloaded below) for exactly this situation. This document is not a replacement for the agreement between the client and the assessor, but as an additional agreement between all three parties.

Madison Gurkha and ITsec have both reviewed and contributed to this agreement and we will use it in our future dealings.

The agreement covers the following topics.

Scope of the assessment:

• What will be tested?
• When will the test take place?
• What kind of tests will be conducted?

Contractual agreements:

• Does the assessor have a contract with the client?
• Does the client have a contract with the service provider?

Legal liability:

• Do both the client and the service provider waive prosecution of the assessor?

Risks:

• Are all parties aware of and agree to the risks of a security assessment?

Practical matters:

• The client requests the service provider to support the assessment
• Who are the points of contact?
• Where will the assessment take place?
• How will the results be reported?

Confidentiality:

• All parties agree to confidentiality

The agreement template is released without any reservations of rights. This means you can use and adapt this agreement as you see fit, but completely at your own risk.

You can download the agreement here:

• Security Assessment Agreement Outsourcing v1.0 (Word document)
• Security Assessment Agreement Outsourcing v1.0 (PDF)

I would like to thank the following people for their contribution:

• Madison Gurkha: Hans van de Looy and Arjan de Vet
• ITsec: Tjerk Nan and Jan van Ek
• Fox-It: Mark Koek
• Arron Finnon (aka @f1nux)
• Colin McLean
• Robert Ladyman