IT security outsourcing is the establishment of a contractual relationship with an outside vendor to assume responsibility for one or more security functions. Whereas Information System (IS) outsourcing generally has been thoroughly examined in the theoretical literature little or no attention has been paid to system security in this regard. This paper examines a body of data, which has been collected to build a Soft System Methodology (SSM) model and considers it in relation to the popular theory.