iso 27001:2013 isms consultancy iso 27001 isms...iso 27001:2013 isms, the following objectives are...

-----------------------------

of 18

ISO 27001:2013 ISMS Consultancy

TERMS OF REFERENCE I. RATIONALE

In 2019, the Commission on Audit (COA) conducted an Information System (IS) Audit by virtue of COA Office Order No. 2019-116 dated 11 February 2019. The IS Audit, conducted on 4 April to 30 August 2019, aimed to assess whether ERC’s policies, procedures and controls are adequate and effective to ensure the confidentiality, integrity and availability of its information assets. The audit also ascertained whether the amount of money invested in IT delivered the intended benefits to its stakeholders and the public in general, and to recommend measures to ensure maximum benefits and optimization of resources.

Further, based on the Commission on Audit Information Systems

Review Observation Memorandum (COA-ISROM) recommended to adopt such standard that will intensify its efforts on certifying ERC processes to International Standards for Organization (ISO) by working on these processes. One of these is the Information Security Management Systems (ISMS)1 certification.

Considering that the processing of ERC transactions is largely dependent on its computerized system, it is essential for ERC to ensure not only the quality of service to the energy sector stakeholders and the general public but also provide a secured information system that will promote data integrity, manage information risks and increase defense from cyber-attacks that attuned to IT standards and industry best practices. Thus, this project will suffice the need on the information security assessment and ISMS audit pre-compliance of the Commission. II. OBJECTIVES

To successfully implement the Technical Consultancy Services for ISO 27001:2013 ISMS, the following objectives are as follows:

1 ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though

there are more than a dozen standards in the ISO/IEC 27000 family. Source: https://www.iso.org/isoiec-27001-information-

security.html

-----------------------------

of 18

1) To assess the current information security management and environment of ERC and to identify risks and opportunities;

2) To develop and implement the standard-based management system for information security following ISO 27001:2013 ISMS framework to the following areas, but not limited to:

a. Information Security; b. Communications and Operations Management; c. Information Systems Management; d. Business Continuity Management; e. Physical and Environment Security; f. Risk, Incident, Problem and Change Management; g. Asset Management; h. Human Resources Security; and i. Compliance Management:

3) To conduct Vulnerability Assessment and Penetration Testing

(VAPT) in the ERC networks and information systems;

4) To conduct an ERC-wide information security awareness and ISMS certification training programs;

5) To ensure the objectives, processes and procedures related to risk management and improvement of information security that will provide results are established in-line with the globally standardized policies and objectives of the ERC; and

6) To establish internal control mechanisms that are applicable to ERC

operations for the protection of data and information.

III. SCOPE OF WORK

The engagement shall cover the ERC business processes and its

corresponding information systems, software, communication systems, and network infrastructure, its management related to office applications, to implement the IT services provided to internal and external clients. The Technical Consultant shall:

1) Assess the current state of the Information Security Management of

ERC;

2) Review documents and records required by ISO 27001:2013;

-----------------------------

of 18

3) Conduct Vulnerability Assessment and Penetration Testing (VAPT)

in the ERC networks and information systems;

4) Design and develop an effective and easy-to-use ISMS

implementation plan that can be successfully implemented;

5) Conduct workshops, trainings, and meetings to facilitate completion

of mandatory and other necessary documents based on the ISMS

guidelines;

6) Provide support and assistance in the implementation and

monitoring of the established ISMS;

7) Provide assistance towards compliance with the auditing

requirements under the ISMS;

8) Conduct readiness and pre-certification assessment;

9) Provide audit assistance for ISO 27001:2013 ISMS certification;

and

10) Consulting firm must ensure that service provider’s representatives

are physically and mentally fit to perform the work and compliant

with ERC health protocols.

IV. RESPONSIBILITIES OF THE CONSULTANT

The Consultant must be an accredited or Recognized Information Security Assessment Provider for the services of ISMS by any International Certifying Organization.

The Consultant must have the expertise, experience, and capacity to implement the project based on the criteria, as follows: 1) Assessment of Current State on Information Security

Management

Review, analyze and assess the existing core business processes and Information Security environment in the ERC. 2) Submission of Proposals for the Preparation for ISO

27001:2013 ISMS Certification

The Consultant shall guide and assist the ERC in making necessary documentations in order to comply with the requirements of ISO 27001:2013 ISMS including the review on the existing manuals/documentation, operational instruction and determine if it is still applicable to the current set-up of the ERC. The Consultant will submit the needed manuals for the implementation of its ISMS.

-----------------------------

of 18

3) Data Gathering

The Consultant shall conduct actual and on-site gathering of relevant data and information that are necessary in the assessment of ISMS process; and ensure data and information consistency and interpretation of the results.

4) Confidentiality

The Technical Consultant shall maintain confidentiality on information gathered for the project. Thus, release of data or any information regarding thereto shall require consent from the ERC. 5) Intellectual property

All intellectual property including studies, reports or other materials, models, spreadsheets shall belong to and remain a property of the ERC.

IV. RESPONSIBILITIES OF THE ERC

The ERC shall facilitate the ISO 27001:2013 ISMS Consultancy with the assistance of the Technical Consultant, by providing the following:

1) Coordination with ERC concerned offices regarding with needed information;

2) Technical and secretariat support to the work such as for meetings, presentations, and other related activities; and

3) Approval on system which will be implemented. V. TIMELINES AND DELIVERABLES

The timeframe for the technical assistance to be provided by the technical consultant shall be for a period of four (4) months2 equivalent of actual work and shall provide after-sales free 10-day technical consultancy for two (2) years, as may needed by the ERC, from receipt of Notice to Proceed (NTP).

2 The project duration is considered the timeframe of the approval of the Commission for high level documents

which give flexibility of three to four weeks. Based on the ISMS Market Study, three to four months can suffice

the necessary implementation phases for the consultancy of ISMS Assessment and pre-audit compliance

assistance.

-----------------------------

of 18

The Technical Consultant shall be released from its commitment to the contract not more than fourteen (14) days upon acceptance of the final output by the ERC as approved by the Commission

The Technical Consultant shall provide the following outputs within its respective timelines:

Milestones Activities Output Timeline Phase 1 – Initial Assessment and Planning

1.1. Awareness, Training and Planning

1. Facilitate workshops on the responsibilities of Top Management and the ISMS Team

2. Provide guidance on establishing an Information Security Policy

1. Approved Project Plan (timeline, approach/ methodology, project team composition)

2. Initial Gap Assessment Report

3. Training Plan 4. ISMS Awareness

Training Report 5. Risk Assessment

Workshop/ Exercises and Training Report

Within fourteen (14) Working Days after receipt of the Notice to Proceed (NTP)

1.2. Master Planning and Kick-off Meeting

Provide a comprehensive plan for the implementation of the ISMS project and coordinate closely with the ERC for inputs.

1. ISMS Project Charter (with updated RACI and Gantt charts)

20th day after receipt of the NTP

1.3. Orientation and Awareness

Provide briefing for Top Management and selected personnel on the requirements, benefits, roadmap, resource requirements, roles and policies.

1. Orientation and Awareness Report

2. Proposed ISMS documentations (as presented in the orientation)


1.4. Data Gathering and Gap Analysis

Gather necessary data and determine the business context, legal, statutory, & regulatory needs of

1. Gap Assessment Report


-----------------------------

of 18

Milestones Activities Output Timeline interested parties and the scope of ISMS.

1.5. Business Impact Analysis (BIA) / Risk Management / Statement of Applicability

Provide training-workshop and assistance on the identification and assessment of ERC office operation and services

1. BIA Report 2. Training Report 3. Risk and

Information Asset Register Report

4. Statement of Applicability (SOA) Report


Phase 2 – Systems Review and Development 2.1. ISMS

Development Establish ISMS in accordance with the requirements of ISO 27001:2013, with the following key activities:

a) High Level Policy/ ISMS Manual

b) Asset Listing c) Asset Valuation d) Threat Assessment e) Vulnerability

Assessment f) Risk Management

Methodology g) Risk Treatment Plan h) Implement ISMS

Procedures Note: Must conduct a thorough Vulnerability and Assessment Penetration Testing (VAPT) to the entire ERC ICT Network and Information Systems.

1. Proposed ISMS Objectives

2. Proposed ISMS Policy

3. Proposed ISMS Manual3

4. ISMS Development and Implementation Reports and Documentation: a. Asset Listing

and Valuation b. Threat and

Vulnerability Assessment

c. Risk Treatment Plan

d. Risk Management Framework

e. VAPT Report

35th to 55th day after receipt of the NTP

2.2. Document Review and Control

Prepare the control and routing of documents and records

1. Approved High

Level Policies

(ISMS Objectives


3 To be approved by the Oversight Commissioner.

-----------------------------

of 18

Milestones Activities Output Timeline & Policy) and

ISMS Manual

2. Documented

Information/

Procedures for

ISO 27001

3. Applicable Non-Mandatory but commonly used documents for ISMS

Phase 3 – Systems Implementation

3.1. Pre-Certification Assessment (PCA) & Mock Audit

Conduct a thorough assessment to check compliance with the standard and management system manuals with the following:

a) Risk Management Definition and Design

b) Risk Assessment (Threat and Vulnerability assessment)

c) Risk Treatment Planning

d) Implementation of ISMS Controls

1. PCA Report 2. List of Non-

Conformities 3. Risk Assessment

Report 4. Risk

Management Design

5. Risk Threat Planning

6. Implementation Controls Plan4

45th to 75th

day after receipt of the NTP

3.2. Assessment of performance against the policy, objectives, and current practices

Monitor, Measure and Audit the ISMS with the following activities:

a) Monitoring and Measurement

b) Internal Audit (workshop)

c) SOA and other policies

1. ISMS Performance Report

2. Internal Audit Report

3. Minutes of Management Review


4 Need approval of the Commission.

-----------------------------

of 18

Milestones Activities Output Timeline d) Signoff of ISMS Doc e) Internal Audit

Training & Conducting Internal Audit

f) Close Internal Audit Finding

3.3. Continual Improvement of the ISMS

Undertake corrective actions, based on the results of the internal audit and management review for continual improvement the system

1. Non-conformity Assessment Report


Phase 4 – Verification & Project Closure5 4.1. Mock Audit,

Closing and Certification Support

1. Conduct a simulated external audit (mock audit) to externally assess and gain confidence in the newly established ISMS

2. Take actions to improve performance

3. Support the ERC in the external audit process leading to certification

1. Mock Audit Report

2. Non-conformity Assessment report6

3. ISMS Project Closure Briefer and Recommendation for the Commission

4. ISMS Documents Sign-off


Please see Annex “C” for the Matrix of Deliverables/Output with Level of Approval and deadline of submission. VI. QUALIFICATIONS OF TECHNICAL CONSULTANT

The Technical Consultant needed by the ERC in the performance of its tasks shall be of one (1) team possesses the following:

1) The Technical Consultant/Consultancy Firm must have extensive background in ICT and ISO/IEC Certifications especially ISO/IEC 27001 Lead Implementer;

5 Thirty (30) days allocated for the approval of the Commission. 6 After the Mock Audit.

-----------------------------

of 18

2) The Technical Consultant/Consultancy Firm preferably a Cybersecurity Assessment Provider recognized by the Department of the Information and Communications Technology (DICT)7;

3) Team members must have the expertise, experience, and capacity to implement the consultancy project. Such technical team shall be comprised of specialists that are highly knowledgeable with ISO/IEC 27001:2013 ISMS a minimum of five (5) years of relevant work practice related to ISO Information Security and Systems Standards, and with support staff that ensures proper coordination on the administrative side with the point personnel; and

4) These experts should be able to easily and clearly communicate with

the ERC and other stakeholders. Hence, the local expert should be able to converse appropriately in the common vernacular while the expert on other jurisdictions necessitates fluency in English.

VII. MODE OF PROCUREMENT

The procurement of the consultancy service shall be undertaken through Competitive Bidding pursuant to RA No. 9184 and its 2016 Revised IRR. VIII. FUND SOURCE OF APPROVED BUDGET FOR THE

CONTRACT (ABC)

The funding source for the technical assistance is through fiscal year 2021 General Appropriation Act (GAA).

The ABC for the technical assistance is PhP1,200,000.00, inclusive of all government taxes, fees and charges, and other incidental and administrative costs, which shall be paid on an output basis (e.g., meetings, consultations, materials, etc.). IX. PAYMENT SCHEME/ SCHEDULE

The consultant shall be paid within forty (40) to one hundred twenty (120) calendar days after the acceptance of each of the milestone by the ERC’s designated/authorized signatories, broken down as follows:

7 DICT Recognition Scheme of All Cybersecurity Assessment Providers. Source:

https://dict.gov.ph/recognition-scheme-cybersecurity-assessment-providers/

-----------------------------

of 18

Deliverables Due Date Cost

Phase 1 Output 40th day after receipt of the NTP

25% of Contract Price





Phase 4 Output8 120th day after receipt of the NTP


X. LIQUIDATED DAMAGES

1) Should the Consultant refuse or fail to satisfactorily complete the

project within the specified contract time or request extension of time provided in the contract without the approval of the ERC, the Consultant shall pay liquidated damages, and not by way of penalty, an amount as provided in the conditions of the contract, equal to one tenth (1/10) of one percent (1%) of the cost of the unperformed portion for every day of delay. The maximum deduction shall be ten percent (10%) of the amount of the contract without prejudice to any other action or remedy it may take to recover the losses incurred as a result of the Consultant’s failure/non-performance, including but not limited to, forfeiture of performance security and/or blacklisting of the latter.

2) Entitlement to such liquidated damages, the ERC need not to prove damages actually incurred. Said damages in any amount shall be deducted from any money due or which may become sue to the Consultant under the contract and/or collect such liquidated damages from the retention money or other securities posted by the Consultant at the ERC’s convenience.

XI. EVALUATION CRITERIA 1) Short Listing Criteria of Prospective Bidders

a) Firm Experience - Bidder must have at least years (5) years of

experience in the ISO/IEC ISMS 27001:2013 and allied

8 With the final approval of the Commission.

-----------------------------

of 18

standardization Consultancy Services in government and energy sectors.

b) Qualification of Personnel– To establish that the bidders excel or are among the leaders in its field of expertise, they must demonstrate competence to develop, manage and operate qualifications in best practice, in methodologies of ISO compliance best practice frameworks an d methodologies used by professionals working primarily in IT service management, project, program and portfolio management and cyber resilience. And must have accreditation in any international organizations on ISO, IT security management standards, Professional Evaluation and Certification Board (PECB) or other organizations authorized by ISO.

c) Current workload to job capacity – the bidder must able to prove that the listed personnel can fully perform on the workload requirements.

Parameters Equivalent Point

Score

A. Firm Experience 45%

B. Qualification of Personnel 30%

C. Current workload relative to job capacity

25%

Total 100%

(Note: Only the top 5 ranked Firms with at least 70% points based on the shortlisting criteria will be invited to submit the Technical and Financial Proposals. Should less than the required number apply and pass the eligibility check, and pass the minimum score required in the short listing, the BAC shall consider the same. The details of the above parameters are hereto attached as Annex “A”. )

2) Bid Evaluation Criteria

Quality-Based Evaluation (QBE) will be used in the determination of highest rated bid. Under said evaluation, the Technical Proposal will be evaluated first to determine the highest rated bid. Then, upon approval by the HOPE, the Financial Proposal will be opened by the BAC.

-----------------------------

of 18

a) Quality of personnel to be assigned to the project which covers suitability of key staff to perform the duties of the particular assignments and general qualifications and competence including education and training of the key staff;

b) Experience and capability of the consultant which include

records of previous engagement and quality of performance in similar and in other projects; relationship with previous and current clients; and, overall work commitments, geographical distribution of current/impending projects and attention to be given by the consultant. The experience of the consultant to the project shall consider both the overall experiences of the firm and the individual experiences of the principal and key staff including the times when employed by other consultants; and

c) Plan of approach and methodology with emphasis on the clarity, feasibility, innovativeness and comprehensiveness of the plan approach, and the quality of interpretation of project problems, risks, and suggested solutions.


Score

A. Quality of Firm and Exposure 20%

B. Experience and Capability of the Consultants

40%

C. Plan of Approach and Methodology 40%

Total 100%

-----------------------------

of 18

ANNEX “A”

Criteria for Shortlisting/Selection of Prospective Bidders for the Procurement of Consultancy Services for ISO 27001:2013

ISMS


Score

A. Applicable experiences of the firm/company and its consultants and members of the team, in case of joint ventures, considering both the overall experience of the firm relative to ISO 27001:2013 ISMS Certification and ISO IT Management System certifications, AND accreditation of the consulting firm to the on the ISO 27000 and ISO 20000 family and/or accredited as Certifying Body for the ISMS, ITILv4/v5, COBIT 5/2019, ISACA, CompTIA certification standards

45%

B. Qualifications of personnel who shall be assigned to the job vis-a vis extent and complexity of the undertaking

30%

C. Current workload relative to job capacity 25%

Total 100%

Hurdle Rate 70%

-----------------------------

of 18

Eligibility Factors9 Points Multiplier

I. Firm Experience 45 45%

A) Consultancy Experience 20 20%

Auditing Firm or partnership company with consultancy for number of years

Above 5 years 20 20%

3-5 years 15 15%

Less than 3 years 10 10%

B) Exposure in the Energy and/or Public Sectors 25 25%

Auditing Firm or partnership company with clients in the government and/or energy sector

Yes - Government 20 20%

Yes - Energy Sector 20 20%

Yes - Government & Energy Sectors 25 25%

None 13 13%

II. Qualification of Personnel 30 30%

A) Educational Background 5 5%

PhD degree holder 5 5%

MA/MS degree holder 4 4%

BS/BA degree holder 3 3%

B) ISO & ICT Certifications 15 15%

Certified ISMS Practitioner 12 12%

Certified ISMS Auditor 12 12%

Certified ISMS Auditor and Practitioner 15 15%

Certified by the Department of Information and Communications Technology (DICT) as Cybersecurity / ISMS Implementer Partner10 15 15%

None 0 0%

C) Number of years experience in the ISMS Consultancy 10 10%

5 years and above 10 10%

3-5 years 8 8%

III. Current workload relative to job capacity 25 25%

A) Number of all listed members that are involved in ongoing projects (awarded)

12.5 12.5%

0 to 30% 12.5 12.5%

40% to 50% 8.3 8.3%

More than 50% 5 5%

B) Percentage of working hours allotted for other ongoing projects of the consultant/firm out of the total contracted hours (allotted hours for other on-going project plus number of hours required for the subject consultancy

12.5 12.5%

0 to 30% 12.5 12.5%

40% to 50% 8.3 8.3%

More than 50% 5 5%

TOTAL 100 100%

9 Points are based on the criteria selection. 10 Recognition Scheme of All Cybersecurity Assessment Providers of the DICT: https://dict.gov.ph/recognition-

scheme-cybersecurity-assessment-providers/

-----------------------------

of 18

ANNEX “B” Technical Proposal QBE Criteria

Technical Proposal QBE Factors Considered Points Multiplier

I. Quality of Firm in the Assessment and Pre-audit on ISMS (20%)11 20 20%

A) Work experience of key staff 10 10%

Consulting firm with consultancy experience for number of years

Above 5 years 10 10%

3-5 years 8 8%

Less than 3 years 5 5%

B) Exposure in the Energy and/or Public Sectors 10 10%

Consultancy Firm has previous clients in the government and/or energy sector

Yes - Government 8 8%

Yes - Energy Sector 8 8%

Yes - Government & Energy Sectors 10 10%

None 4 4%

II. Qualification of Personnel (40%)12 40 40%

A) Educational Background 4 4%

PhD degree holder 4 4%

MA/MS degree holder 3 3%

BS/BA degree holder 2 2%

B) ICT Certifications 24 24%

Certified ISMS Practitioner 20 20%

Certified ISMS Auditor 20 20%

Certified ISMS Auditor and Practitioner 24 24%

Certified by the Department of Information and Communications Technology (DICT) as Cybersecurity / ISMS Implementer Partner 24 24%

None 0 0%

C) Number of Years Experience in the ISMS Consultancy 12 12%

5 years and above 12 12%

3-5 years 10 10%

III. Plan of Approach and Methodology (40%)13 40 40%

A) Approach and Methodology 30 30%

1) Detailed work plan and schedule 5 5%

2) Accessibility of principal/key personnel to the project 5 5%

3) Work load assignment 5 5%

4) Quality of Knowledge Transfer, Trainers & Training Modules 15 15%

B) Projects awarded, completed and on-going 10 10%

1) Number of contracts are similar in nature 4 4%

2) Contracts similar complexity 3 3%

3) Timeliness of delivery 3 3%

TOTAL 100 100%

11 Points are based on criteria selection. 12 Points are based on criteria selection. 13 Points are accumulative.

-----------------------------

of 18

ANNEX “C”

LIST OF DELIVERABLES AND OUTPUT

Milestones Output Level of

Approval Deadline of Submission

Phase 1 – Initial Assessment and Planning 1.1. Awareness,

Training and Planning

1. Approved Project Plan (timeline, approach/ methodology, project team composition)

2. Initial Gap Assessment Report

3. Training Plan 4. ISMS Awareness

Training Report 5. Risk Assessment

Workshop/ Exercises and Training Report

Project Management Team (PPIS-MISD)

On or before 25th day after receipt of the NTP

1.2. Master Planning and Kick-off Meeting

1. ISMS Project Charter (with RACI and Gantt Charts)

Project Management Team


1.3. Orientation and Awareness

1. Orientation and Awareness Report

2. Proposed ISMS documentations (as presented in the orientation)

Oversight Commissioner


1.4. Data Gathering and Gap Analysis

Gap Assessment Report Project Management Team


1.5. Business Impact Analysis (BIA) / Risk Management / Statement of Applicability (SOA

1. BIA Report 2. Training Report 3. Risk and Information

Asset Register 4. SOA Report



-----------------------------

of 18



Phase 2 – Systems Review and Development 2.1. System

Development 1. Proposed ISMS

Objectives 2. Proposed ISMS Policy 3. Proposed ISMS

Manual14 4. System Development

and ISMS Implementation Reports and Documentation: a) Asset Listing and

Valuation b) Threat and

Vulnerability Assessment

c) Risk Treatment Plan

d) Risk Management Framework

e) VAPT Report



2.2. Document Review and Control

1. Approved High Level

Policies (ISMS

Objectives & Policy) and

ISMS Manual

2. Documented

Information/

Procedures for ISO

27001

3. Applicable Non-

Mandatory but

commonly used

documents for ISMS

IT Governance Steering Committee / Commission


Phase 3 – Systems Implementation 3.1. Pre-

Certification Assessment

1. PCA Report 2. List of Non-

Conformities 3. Risk Assessment Report



14 To be approved by the Oversight Commissioner.

-----------------------------

of 18



(PCA) & Mock Audit

4. Risk Management Design

5. Risk Threat Planning 6. Implementation

Controls Plan15 3.2. Assessment of

performance against the policy, objectives, and current practices

1. ISMS Project Performance Report

2. Internal Audit report 3. Minutes of

Management Review


On or before 75th day after receipt of the NTP signing of contract

3.3. Continual Improvement of the ISMS

Non-conformity Assessment Report



Phase 4 – Verification & Project Closure16 4.1. Mock Audit,

Closing and Certification Support

1. Mock Audit Report 2. Non-conformity

Assessment report17 3. ISMS Project Closure

Briefer and Recommendation for the Commission

4. ISMS Documents Sign-off

IT Governance Steering Committee / Commission


15 Need approval of the Commission. 16 Thirty (30) days allocated for the approval of the Commission. 17 After the Mock Audit.