Information Communication Technology (ICT) Outsourcing provides an effective ways to cut cost, launch new business venture and improve efficiency. Sometimes, ICT outsourcing can lead to an information security risk incident that might be difficult to manage and mitigate. Hence, the objectives of the research are to determine the information security risk factors, consisting of threats and vulnerabilities; and to discuss their criticalness in Malaysian ICT outsourcing projects. Questionnaires were distributed to various private companies and government agencies for the study. The findings of the research show that the most critical threats are system error and ICT failures; and the most critical vulnerability is insufficient attention to human factors in system design and implementation. This paper also highlights other critical information security risk factors in ICT outsourcing projects. Through the findings, private companies and government agencies would be able to identify critical information security risk factors and address them appropriately and effective.