If you need an independent set of standards, then ISO/IEC 27002:2005 -- the Code of Practice for Information Security, is a good place to start. The information security guidelines and principles can be used as a checklist to determine the weaknesses in a company's general security posture.
You also need to ensure the contract gives you the right to audit and penetration test the infrastructure, processes and procedures.
If your proposed outsourcing partner is not able to respond proactively when you talk about security and audits, then you may wish to look elsewhere.
Related Q&A from Peter Wood
When sensitive documents are frequently travelling back and forth between a company and its business partners, email security becomes very important.... Continue Reading
In this expert response, Peter Wood explains the difference between database activity monitoring systems and security information and event ... Continue Reading
In this expert response, Peter Wood outlines some alternatives to NAC systems, and explains why, sometimes, NAC systems really are the best choice. Continue Reading