A legal paper of confidentiality should be signed by the external company. We will require documentation for quality and consultant skills. We will also choose a vendor-independent consultancy. The final report derived from the vulnerability check should be written in-house. No log files, port scan results etc. should leave our company.