We're a software development team of 3 persons. 2 of the persons are hired directly as employees in our company but the third developer is hired through his own company, which means that legally he is a 3rd party. BUT he only works with us for the time being, being supervised by the two other developers and in every other way working as if he was practically hired directly by us in our company. Is this considered "Outsourced development"? I mean it's not like we've engaged a large company to do the development for us. The only difference is that he is sending invoices to get paid while the two other developers are getting their salary as employees.
So - is a developer hired as a consultant considered outsourced development?
Addition: In general many of us (including my self acting as Compliance Officer) are engaged via our own companies and invoicing for our salary instead of being hired directly by the company. In all other aspects we're the same as the employees - should we treat ourselves as 3rd parties or employees? I mean in terms of security awareness training, confidentiality statements etc.
From an ISO 27001 point of view, when a person works full-time for a company, and the company controls all aspects of his/her work, then this person can be considered as part of the scope - not as a third party.
Alright thanks. But legally I guess we would have to treat him as a third party, right? I mean we have a Third-Party Confidentiality Statement and we have a Employee Confidentiality Statement. Legally it would not make sense to treat a person engaged through his own company as an employee in this aspect. Do you agree?
Yes, legally you have to treat this person as an employee of a third party, but even then you can require this third party that their employees follow the internal rules (policies and procedures) of your own company.