Information Technology Outsourcing (ITO) is a common business practice to outsource delivery of Information Technology (IT) scopes to external suppliers. During past two decades, ITO has grown significantly and has also become an established field of research. With rapid innovations in IT, information security is an increasing concern as new risks emerge in ITO that have not been explored by earlier studies. This paper highlights the insufficiency of the knowledge on this topic and investigates the need of information security risk management (ISRM) in ITO. It aims at creating an ISRM framework for ITO, which will contribute to knowledge and will help businesses to improve their ITO strategy and resilience against information security risks.