Upload
others
View
78
Download
7
Embed Size (px)
Citation preview
-----------------------------
Page 1 of 18
ISO 27001:2013 ISMS Consultancy
TERMS OF REFERENCE I. RATIONALE
In 2019, the Commission on Audit (COA) conducted an Information System (IS) Audit by virtue of COA Office Order No. 2019-116 dated 11 February 2019. The IS Audit, conducted on 4 April to 30 August 2019, aimed to assess whether ERC’s policies, procedures and controls are adequate and effective to ensure the confidentiality, integrity and availability of its information assets. The audit also ascertained whether the amount of money invested in IT delivered the intended benefits to its stakeholders and the public in general, and to recommend measures to ensure maximum benefits and optimization of resources.
Further, based on the Commission on Audit Information Systems
Review Observation Memorandum (COA-ISROM) recommended to adopt such standard that will intensify its efforts on certifying ERC processes to International Standards for Organization (ISO) by working on these processes. One of these is the Information Security Management Systems (ISMS)1 certification.
Considering that the processing of ERC transactions is largely dependent on its computerized system, it is essential for ERC to ensure not only the quality of service to the energy sector stakeholders and the general public but also provide a secured information system that will promote data integrity, manage information risks and increase defense from cyber-attacks that attuned to IT standards and industry best practices. Thus, this project will suffice the need on the information security assessment and ISMS audit pre-compliance of the Commission. II. OBJECTIVES
To successfully implement the Technical Consultancy Services for ISO 27001:2013 ISMS, the following objectives are as follows:
1 ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though
there are more than a dozen standards in the ISO/IEC 27000 family. Source: https://www.iso.org/isoiec-27001-information-
security.html
-----------------------------
Page 2 of 18
1) To assess the current information security management and environment of ERC and to identify risks and opportunities;
2) To develop and implement the standard-based management system for information security following ISO 27001:2013 ISMS framework to the following areas, but not limited to:
a. Information Security; b. Communications and Operations Management; c. Information Systems Management; d. Business Continuity Management; e. Physical and Environment Security; f. Risk, Incident, Problem and Change Management; g. Asset Management; h. Human Resources Security; and i. Compliance Management:
3) To conduct Vulnerability Assessment and Penetration Testing
(VAPT) in the ERC networks and information systems;
4) To conduct an ERC-wide information security awareness and ISMS certification training programs;
5) To ensure the objectives, processes and procedures related to risk management and improvement of information security that will provide results are established in-line with the globally standardized policies and objectives of the ERC; and
6) To establish internal control mechanisms that are applicable to ERC
operations for the protection of data and information.
III. SCOPE OF WORK
The engagement shall cover the ERC business processes and its
corresponding information systems, software, communication systems, and network infrastructure, its management related to office applications, to implement the IT services provided to internal and external clients. The Technical Consultant shall:
1) Assess the current state of the Information Security Management of
ERC;
2) Review documents and records required by ISO 27001:2013;
-----------------------------
Page 3 of 18
3) Conduct Vulnerability Assessment and Penetration Testing (VAPT)
in the ERC networks and information systems;
4) Design and develop an effective and easy-to-use ISMS
implementation plan that can be successfully implemented;
5) Conduct workshops, trainings, and meetings to facilitate completion
of mandatory and other necessary documents based on the ISMS
guidelines;
6) Provide support and assistance in the implementation and
monitoring of the established ISMS;
7) Provide assistance towards compliance with the auditing
requirements under the ISMS;
8) Conduct readiness and pre-certification assessment;
9) Provide audit assistance for ISO 27001:2013 ISMS certification;
and
10) Consulting firm must ensure that service provider’s representatives
are physically and mentally fit to perform the work and compliant
with ERC health protocols.
IV. RESPONSIBILITIES OF THE CONSULTANT
The Consultant must be an accredited or Recognized Information Security Assessment Provider for the services of ISMS by any International Certifying Organization.
The Consultant must have the expertise, experience, and capacity to implement the project based on the criteria, as follows: 1) Assessment of Current State on Information Security
Management
Review, analyze and assess the existing core business processes and Information Security environment in the ERC. 2) Submission of Proposals for the Preparation for ISO
27001:2013 ISMS Certification
The Consultant shall guide and assist the ERC in making necessary documentations in order to comply with the requirements of ISO 27001:2013 ISMS including the review on the existing manuals/documentation, operational instruction and determine if it is still applicable to the current set-up of the ERC. The Consultant will submit the needed manuals for the implementation of its ISMS.
-----------------------------
Page 4 of 18
3) Data Gathering
The Consultant shall conduct actual and on-site gathering of relevant data and information that are necessary in the assessment of ISMS process; and ensure data and information consistency and interpretation of the results.
4) Confidentiality
The Technical Consultant shall maintain confidentiality on information gathered for the project. Thus, release of data or any information regarding thereto shall require consent from the ERC. 5) Intellectual property
All intellectual property including studies, reports or other materials, models, spreadsheets shall belong to and remain a property of the ERC.
IV. RESPONSIBILITIES OF THE ERC
The ERC shall facilitate the ISO 27001:2013 ISMS Consultancy with the assistance of the Technical Consultant, by providing the following:
1) Coordination with ERC concerned offices regarding with needed information;
2) Technical and secretariat support to the work such as for meetings, presentations, and other related activities; and
3) Approval on system which will be implemented. V. TIMELINES AND DELIVERABLES
The timeframe for the technical assistance to be provided by the technical consultant shall be for a period of four (4) months2 equivalent of actual work and shall provide after-sales free 10-day technical consultancy for two (2) years, as may needed by the ERC, from receipt of Notice to Proceed (NTP).
2 The project duration is considered the timeframe of the approval of the Commission for high level documents
which give flexibility of three to four weeks. Based on the ISMS Market Study, three to four months can suffice
the necessary implementation phases for the consultancy of ISMS Assessment and pre-audit compliance
assistance.
-----------------------------
Page 5 of 18
The Technical Consultant shall be released from its commitment to the contract not more than fourteen (14) days upon acceptance of the final output by the ERC as approved by the Commission
The Technical Consultant shall provide the following outputs within its respective timelines:
Milestones Activities Output Timeline Phase 1 – Initial Assessment and Planning
1.1. Awareness, Training and Planning
1. Facilitate workshops on the responsibilities of Top Management and the ISMS Team
2. Provide guidance on establishing an Information Security Policy
1. Approved Project Plan (timeline, approach/ methodology, project team composition)
2. Initial Gap Assessment Report
3. Training Plan 4. ISMS Awareness
Training Report 5. Risk Assessment
Workshop/ Exercises and Training Report
Within fourteen (14) Working Days after receipt of the Notice to Proceed (NTP)
1.2. Master Planning and Kick-off Meeting
Provide a comprehensive plan for the implementation of the ISMS project and coordinate closely with the ERC for inputs.
1. ISMS Project Charter (with updated RACI and Gantt charts)
20th day after receipt of the NTP
1.3. Orientation and Awareness
Provide briefing for Top Management and selected personnel on the requirements, benefits, roadmap, resource requirements, roles and policies.
1. Orientation and Awareness Report
2. Proposed ISMS documentations (as presented in the orientation)
25th day after receipt of the NTP
1.4. Data Gathering and Gap Analysis
Gather necessary data and determine the business context, legal, statutory, & regulatory needs of
1. Gap Assessment Report
30th day after receipt of the NTP
-----------------------------
Page 6 of 18
Milestones Activities Output Timeline interested parties and the scope of ISMS.
1.5. Business Impact Analysis (BIA) / Risk Management / Statement of Applicability
Provide training-workshop and assistance on the identification and assessment of ERC office operation and services
1. BIA Report 2. Training Report 3. Risk and
Information Asset Register Report
4. Statement of Applicability (SOA) Report
30th day after receipt of the NTP
Phase 2 – Systems Review and Development 2.1. ISMS
Development Establish ISMS in accordance with the requirements of ISO 27001:2013, with the following key activities:
a) High Level Policy/ ISMS Manual
b) Asset Listing c) Asset Valuation d) Threat Assessment e) Vulnerability
Assessment f) Risk Management
Methodology g) Risk Treatment Plan h) Implement ISMS
Procedures Note: Must conduct a thorough Vulnerability and Assessment Penetration Testing (VAPT) to the entire ERC ICT Network and Information Systems.
1. Proposed ISMS Objectives
2. Proposed ISMS Policy
3. Proposed ISMS Manual3
4. ISMS Development and Implementation Reports and Documentation: a. Asset Listing
and Valuation b. Threat and
Vulnerability Assessment
c. Risk Treatment Plan
d. Risk Management Framework
e. VAPT Report
35th to 55th day after receipt of the NTP
2.2. Document Review and Control
Prepare the control and routing of documents and records
1. Approved High
Level Policies
(ISMS Objectives
40th to 70th day after receipt of the NTP
3 To be approved by the Oversight Commissioner.
-----------------------------
Page 7 of 18
Milestones Activities Output Timeline & Policy) and
ISMS Manual
2. Documented
Information/
Procedures for
ISO 27001
3. Applicable Non-Mandatory but commonly used documents for ISMS
Phase 3 – Systems Implementation
3.1. Pre-Certification Assessment (PCA) & Mock Audit
Conduct a thorough assessment to check compliance with the standard and management system manuals with the following:
a) Risk Management Definition and Design
b) Risk Assessment (Threat and Vulnerability assessment)
c) Risk Treatment Planning
d) Implementation of ISMS Controls
1. PCA Report 2. List of Non-
Conformities 3. Risk Assessment
Report 4. Risk
Management Design
5. Risk Threat Planning
6. Implementation Controls Plan4
45th to 75th
day after receipt of the NTP
3.2. Assessment of performance against the policy, objectives, and current practices
Monitor, Measure and Audit the ISMS with the following activities:
a) Monitoring and Measurement
b) Internal Audit (workshop)
c) SOA and other policies
1. ISMS Performance Report
2. Internal Audit Report
3. Minutes of Management Review
55th day after receipt of the NTP
4 Need approval of the Commission.
-----------------------------
Page 8 of 18
Milestones Activities Output Timeline d) Signoff of ISMS Doc e) Internal Audit
Training & Conducting Internal Audit
f) Close Internal Audit Finding
3.3. Continual Improvement of the ISMS
Undertake corrective actions, based on the results of the internal audit and management review for continual improvement the system
1. Non-conformity Assessment Report
60th day after receipt of the NTP
Phase 4 – Verification & Project Closure5 4.1. Mock Audit,
Closing and Certification Support
1. Conduct a simulated external audit (mock audit) to externally assess and gain confidence in the newly established ISMS
2. Take actions to improve performance
3. Support the ERC in the external audit process leading to certification
1. Mock Audit Report
2. Non-conformity Assessment report6
3. ISMS Project Closure Briefer and Recommendation for the Commission
4. ISMS Documents Sign-off
90th to 120th day after receipt of the NTP
Please see Annex “C” for the Matrix of Deliverables/Output with Level of Approval and deadline of submission. VI. QUALIFICATIONS OF TECHNICAL CONSULTANT
The Technical Consultant needed by the ERC in the performance of its tasks shall be of one (1) team possesses the following:
1) The Technical Consultant/Consultancy Firm must have extensive background in ICT and ISO/IEC Certifications especially ISO/IEC 27001 Lead Implementer;
5 Thirty (30) days allocated for the approval of the Commission. 6 After the Mock Audit.
-----------------------------
Page 9 of 18
2) The Technical Consultant/Consultancy Firm preferably a Cybersecurity Assessment Provider recognized by the Department of the Information and Communications Technology (DICT)7;
3) Team members must have the expertise, experience, and capacity to implement the consultancy project. Such technical team shall be comprised of specialists that are highly knowledgeable with ISO/IEC 27001:2013 ISMS a minimum of five (5) years of relevant work practice related to ISO Information Security and Systems Standards, and with support staff that ensures proper coordination on the administrative side with the point personnel; and
4) These experts should be able to easily and clearly communicate with
the ERC and other stakeholders. Hence, the local expert should be able to converse appropriately in the common vernacular while the expert on other jurisdictions necessitates fluency in English.
VII. MODE OF PROCUREMENT
The procurement of the consultancy service shall be undertaken through Competitive Bidding pursuant to RA No. 9184 and its 2016 Revised IRR. VIII. FUND SOURCE OF APPROVED BUDGET FOR THE
CONTRACT (ABC)
The funding source for the technical assistance is through fiscal year 2021 General Appropriation Act (GAA).
The ABC for the technical assistance is PhP1,200,000.00, inclusive of all government taxes, fees and charges, and other incidental and administrative costs, which shall be paid on an output basis (e.g., meetings, consultations, materials, etc.). IX. PAYMENT SCHEME/ SCHEDULE
The consultant shall be paid within forty (40) to one hundred twenty (120) calendar days after the acceptance of each of the milestone by the ERC’s designated/authorized signatories, broken down as follows:
7 DICT Recognition Scheme of All Cybersecurity Assessment Providers. Source:
https://dict.gov.ph/recognition-scheme-cybersecurity-assessment-providers/
-----------------------------
Page 10 of 18
Deliverables Due Date Cost
Phase 1 Output 40th day after receipt of the NTP
25% of Contract Price
Phase 2 Output 70th day after receipt of the NTP
25% of Contract Price
Phase 3 Output 75th day after receipt of the NTP
25% of Contract Price
Phase 4 Output8 120th day after receipt of the NTP
25% of Contract Price
X. LIQUIDATED DAMAGES
1) Should the Consultant refuse or fail to satisfactorily complete the
project within the specified contract time or request extension of time provided in the contract without the approval of the ERC, the Consultant shall pay liquidated damages, and not by way of penalty, an amount as provided in the conditions of the contract, equal to one tenth (1/10) of one percent (1%) of the cost of the unperformed portion for every day of delay. The maximum deduction shall be ten percent (10%) of the amount of the contract without prejudice to any other action or remedy it may take to recover the losses incurred as a result of the Consultant’s failure/non-performance, including but not limited to, forfeiture of performance security and/or blacklisting of the latter.
2) Entitlement to such liquidated damages, the ERC need not to prove damages actually incurred. Said damages in any amount shall be deducted from any money due or which may become sue to the Consultant under the contract and/or collect such liquidated damages from the retention money or other securities posted by the Consultant at the ERC’s convenience.
XI. EVALUATION CRITERIA 1) Short Listing Criteria of Prospective Bidders
a) Firm Experience - Bidder must have at least years (5) years of
experience in the ISO/IEC ISMS 27001:2013 and allied
8 With the final approval of the Commission.
-----------------------------
Page 11 of 18
standardization Consultancy Services in government and energy sectors.
b) Qualification of Personnel– To establish that the bidders excel or are among the leaders in its field of expertise, they must demonstrate competence to develop, manage and operate qualifications in best practice, in methodologies of ISO compliance best practice frameworks an d methodologies used by professionals working primarily in IT service management, project, program and portfolio management and cyber resilience. And must have accreditation in any international organizations on ISO, IT security management standards, Professional Evaluation and Certification Board (PECB) or other organizations authorized by ISO.
c) Current workload to job capacity – the bidder must able to prove that the listed personnel can fully perform on the workload requirements.
Parameters Equivalent Point
Score
A. Firm Experience 45%
B. Qualification of Personnel 30%
C. Current workload relative to job capacity
25%
Total 100%
(Note: Only the top 5 ranked Firms with at least 70% points based on the shortlisting criteria will be invited to submit the Technical and Financial Proposals. Should less than the required number apply and pass the eligibility check, and pass the minimum score required in the short listing, the BAC shall consider the same. The details of the above parameters are hereto attached as Annex “A”. )
2) Bid Evaluation Criteria
Quality-Based Evaluation (QBE) will be used in the determination of highest rated bid. Under said evaluation, the Technical Proposal will be evaluated first to determine the highest rated bid. Then, upon approval by the HOPE, the Financial Proposal will be opened by the BAC.
-----------------------------
Page 12 of 18
a) Quality of personnel to be assigned to the project which covers suitability of key staff to perform the duties of the particular assignments and general qualifications and competence including education and training of the key staff;
b) Experience and capability of the consultant which include
records of previous engagement and quality of performance in similar and in other projects; relationship with previous and current clients; and, overall work commitments, geographical distribution of current/impending projects and attention to be given by the consultant. The experience of the consultant to the project shall consider both the overall experiences of the firm and the individual experiences of the principal and key staff including the times when employed by other consultants; and
c) Plan of approach and methodology with emphasis on the clarity, feasibility, innovativeness and comprehensiveness of the plan approach, and the quality of interpretation of project problems, risks, and suggested solutions.
Parameters Equivalent Point
Score
A. Quality of Firm and Exposure 20%
B. Experience and Capability of the Consultants
40%
C. Plan of Approach and Methodology 40%
Total 100%
-----------------------------
Page 13 of 18
ANNEX “A”
Criteria for Shortlisting/Selection of Prospective Bidders for the Procurement of Consultancy Services for ISO 27001:2013
ISMS
Parameters Equivalent Point
Score
A. Applicable experiences of the firm/company and its consultants and members of the team, in case of joint ventures, considering both the overall experience of the firm relative to ISO 27001:2013 ISMS Certification and ISO IT Management System certifications, AND accreditation of the consulting firm to the on the ISO 27000 and ISO 20000 family and/or accredited as Certifying Body for the ISMS, ITILv4/v5, COBIT 5/2019, ISACA, CompTIA certification standards
45%
B. Qualifications of personnel who shall be assigned to the job vis-a vis extent and complexity of the undertaking
30%
C. Current workload relative to job capacity 25%
Total 100%
Hurdle Rate 70%
-----------------------------
Page 14 of 18
Eligibility Factors9 Points Multiplier
I. Firm Experience 45 45%
A) Consultancy Experience 20 20%
Auditing Firm or partnership company with consultancy for number of years
Above 5 years 20 20%
3-5 years 15 15%
Less than 3 years 10 10%
B) Exposure in the Energy and/or Public Sectors 25 25%
Auditing Firm or partnership company with clients in the government and/or energy sector
Yes - Government 20 20%
Yes - Energy Sector 20 20%
Yes - Government & Energy Sectors 25 25%
None 13 13%
II. Qualification of Personnel 30 30%
A) Educational Background 5 5%
PhD degree holder 5 5%
MA/MS degree holder 4 4%
BS/BA degree holder 3 3%
B) ISO & ICT Certifications 15 15%
Certified ISMS Practitioner 12 12%
Certified ISMS Auditor 12 12%
Certified ISMS Auditor and Practitioner 15 15%
Certified by the Department of Information and Communications Technology (DICT) as Cybersecurity / ISMS Implementer Partner10 15 15%
None 0 0%
C) Number of years experience in the ISMS Consultancy 10 10%
5 years and above 10 10%
3-5 years 8 8%
III. Current workload relative to job capacity 25 25%
A) Number of all listed members that are involved in ongoing projects (awarded)
12.5 12.5%
0 to 30% 12.5 12.5%
40% to 50% 8.3 8.3%
More than 50% 5 5%
B) Percentage of working hours allotted for other ongoing projects of the consultant/firm out of the total contracted hours (allotted hours for other on-going project plus number of hours required for the subject consultancy
12.5 12.5%
0 to 30% 12.5 12.5%
40% to 50% 8.3 8.3%
More than 50% 5 5%
TOTAL 100 100%
9 Points are based on the criteria selection. 10 Recognition Scheme of All Cybersecurity Assessment Providers of the DICT: https://dict.gov.ph/recognition-
scheme-cybersecurity-assessment-providers/
-----------------------------
Page 15 of 18
ANNEX “B” Technical Proposal QBE Criteria
Technical Proposal QBE Factors Considered Points Multiplier
I. Quality of Firm in the Assessment and Pre-audit on ISMS (20%)11 20 20%
A) Work experience of key staff 10 10%
Consulting firm with consultancy experience for number of years
Above 5 years 10 10%
3-5 years 8 8%
Less than 3 years 5 5%
B) Exposure in the Energy and/or Public Sectors 10 10%
Consultancy Firm has previous clients in the government and/or energy sector
Yes - Government 8 8%
Yes - Energy Sector 8 8%
Yes - Government & Energy Sectors 10 10%
None 4 4%
II. Qualification of Personnel (40%)12 40 40%
A) Educational Background 4 4%
PhD degree holder 4 4%
MA/MS degree holder 3 3%
BS/BA degree holder 2 2%
B) ICT Certifications 24 24%
Certified ISMS Practitioner 20 20%
Certified ISMS Auditor 20 20%
Certified ISMS Auditor and Practitioner 24 24%
Certified by the Department of Information and Communications Technology (DICT) as Cybersecurity / ISMS Implementer Partner 24 24%
None 0 0%
C) Number of Years Experience in the ISMS Consultancy 12 12%
5 years and above 12 12%
3-5 years 10 10%
III. Plan of Approach and Methodology (40%)13 40 40%
A) Approach and Methodology 30 30%
1) Detailed work plan and schedule 5 5%
2) Accessibility of principal/key personnel to the project 5 5%
3) Work load assignment 5 5%
4) Quality of Knowledge Transfer, Trainers & Training Modules 15 15%
B) Projects awarded, completed and on-going 10 10%
1) Number of contracts are similar in nature 4 4%
2) Contracts similar complexity 3 3%
3) Timeliness of delivery 3 3%
TOTAL 100 100%
11 Points are based on criteria selection. 12 Points are based on criteria selection. 13 Points are accumulative.
-----------------------------
Page 16 of 18
ANNEX “C”
LIST OF DELIVERABLES AND OUTPUT
Milestones Output Level of
Approval Deadline of Submission
Phase 1 – Initial Assessment and Planning 1.1. Awareness,
Training and Planning
1. Approved Project Plan (timeline, approach/ methodology, project team composition)
2. Initial Gap Assessment Report
3. Training Plan 4. ISMS Awareness
Training Report 5. Risk Assessment
Workshop/ Exercises and Training Report
Project Management Team (PPIS-MISD)
On or before 25th day after receipt of the NTP
1.2. Master Planning and Kick-off Meeting
1. ISMS Project Charter (with RACI and Gantt Charts)
Project Management Team
On or before 25th day after receipt of the NTP
1.3. Orientation and Awareness
1. Orientation and Awareness Report
2. Proposed ISMS documentations (as presented in the orientation)
Oversight Commissioner
On or before 35th day after receipt of the NTP
1.4. Data Gathering and Gap Analysis
Gap Assessment Report Project Management Team
On or before 40th day after receipt of the NTP
1.5. Business Impact Analysis (BIA) / Risk Management / Statement of Applicability (SOA
1. BIA Report 2. Training Report 3. Risk and Information
Asset Register 4. SOA Report
Oversight Commissioner
On or before 40th day after receipt of the NTP
-----------------------------
Page 17 of 18
Milestones Output Level of
Approval Deadline of Submission
Phase 2 – Systems Review and Development 2.1. System
Development 1. Proposed ISMS
Objectives 2. Proposed ISMS Policy 3. Proposed ISMS
Manual14 4. System Development
and ISMS Implementation Reports and Documentation: a) Asset Listing and
Valuation b) Threat and
Vulnerability Assessment
c) Risk Treatment Plan
d) Risk Management Framework
e) VAPT Report
Oversight Commissioner
On or before 70th day after receipt of the NTP
2.2. Document Review and Control
1. Approved High Level
Policies (ISMS
Objectives & Policy) and
ISMS Manual
2. Documented
Information/
Procedures for ISO
27001
3. Applicable Non-
Mandatory but
commonly used
documents for ISMS
IT Governance Steering Committee / Commission
On or before 70th day after receipt of the NTP
Phase 3 – Systems Implementation 3.1. Pre-
Certification Assessment
1. PCA Report 2. List of Non-
Conformities 3. Risk Assessment Report
Oversight Commissioner
On or before 75th day after receipt of the NTP
14 To be approved by the Oversight Commissioner.
-----------------------------
Page 18 of 18
Milestones Output Level of
Approval Deadline of Submission
(PCA) & Mock Audit
4. Risk Management Design
5. Risk Threat Planning 6. Implementation
Controls Plan15 3.2. Assessment of
performance against the policy, objectives, and current practices
1. ISMS Project Performance Report
2. Internal Audit report 3. Minutes of
Management Review
Oversight Commissioner
On or before 75th day after receipt of the NTP signing of contract
3.3. Continual Improvement of the ISMS
Non-conformity Assessment Report
Oversight Commissioner
On or before 75th day after receipt of the NTP
Phase 4 – Verification & Project Closure16 4.1. Mock Audit,
Closing and Certification Support
1. Mock Audit Report 2. Non-conformity
Assessment report17 3. ISMS Project Closure
Briefer and Recommendation for the Commission
4. ISMS Documents Sign-off
IT Governance Steering Committee / Commission
120th day after receipt of the NTP
15 Need approval of the Commission. 16 Thirty (30) days allocated for the approval of the Commission. 17 After the Mock Audit.