Many organisations have adopted outsourcing for delivering critical IT services to their clients. Organisations need to identify the potential security threats of outsourced IT projects as early as possible to avoid or mitigate security incidents. Existing threat classification approaches suffer from limitations such as the lack of exhaustive threat classification criteria. In this paper, we propose a threat classification approach for outsourced IT projects. This approach aims to allow organisations to identify, minimise, mitigate, or eliminate security threats at the early stages of project execution.