Hello Ruth,
The Standalone ITS (version 6.20) is already in custom maintenance support (SAP notes 197746 and 325616). Even though its architecture comprehends a agate (tied to the R/3) and a wgate (tied to a web server), it cannot be linked to a Netweaver 7.00 or higher (SAP note 709038). Thus, you cannot have only the ITS running separated from the ABAP system.
I would try to think in a security solution rather than changing the actual system architecture. What I have in mind:
a) Authentication - there are several SSO possibilities (SAP note 1257108 tells about the possibilities in a Netweaver ABAP system);
b) Authorization - a well defined profile should help avoiding unwanted access to sensitive information;
c) Monitoring - SAP offers the Security Audit Log (SAL) to record access information (SAP note 539404 and this SCN Document).
Maybe your network team could also assess whether using the SAP Web Dispatcher for external suppliers would be a valid alternative.
I hope this helps,
Cris